[Oisf-devel] RFC: DNS app layer and logging (WIP)

Victor Julien victor at inliniac.net
Mon Apr 22 09:49:30 UTC 2013

Updated version:

On 04/04/2013 01:46 PM, Victor Julien wrote:
> Funded by Emerging Threats, I've been working on DNS app layer parsing.
> It's work in progress. Have a look at:
> https://github.com/inliniac/suricata/tree/dev-dns-parser
> It adds 2 app layer parsers: "dnsudp" and "dnstcp". It also adds a DNS
> logging module.
> Some noteworthy things:
> - both only have a probing parser as I was unable to identify any fixed
> strings to recognize the protocol on
> - only port 53 is currently inspected
> Some hacks/doubts:
> - the logging output is quite verbose as each record (NS, A, SOA, etc)
> is printed on a separate line
> - to support "alert dns" I had to hard code some mappings between dns
> and dnsudp/dnstcp [1], need a better solution that we can also apply to
> - it seems that when we only use a probing parser, we're not registering
> the protocol name [2]
> - if we're alerting in UDP app layer, some output modules get confused
> as StreamSegmentForEach is called, but thats meant for TCP. Hacked
> around it, but need a better solution. Affected are unified2 and prelude
> at least.

Fixed this in master.

> - app layer events won't work correctly with UDP it seems. They alert,
> but then keep on alerting in consecutive packets. Need to look into it.
> - memory management is suboptimal, alloc's are being done on a per
> record basis and for TCP we alloc a 64k buffer to "reassemble" the full
> record before parsing. Probably need pools here.
> So... work in progress, but comments are welcome. Also in github
> per-line review style.

Added a detection engine and keyword:

- content modifier "dns_query" that matches on the DNS query name
- added /F pcre option to match on the same

MPM/fast_pattern support still missing at this point.

Again, comments, review, etc welcome.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list