[Oisf-devel] RFC: DNS app layer and logging (WIP)

Victor Julien victor at inliniac.net
Tue Apr 23 16:03:42 UTC 2013 

On 04/22/2013 11:49 AM, Victor Julien wrote:
> Updated version:
> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.1
> 
> On 04/04/2013 01:46 PM, Victor Julien wrote:
>> Funded by Emerging Threats, I've been working on DNS app layer parsing.
>> It's work in progress. Have a look at:
>> https://github.com/inliniac/suricata/tree/dev-dns-parser
>>
>> It adds 2 app layer parsers: "dnsudp" and "dnstcp". It also adds a DNS
>> logging module.
>>
>>
>> Some noteworthy things:
>>
>> - both only have a probing parser as I was unable to identify any fixed
>> strings to recognize the protocol on
>>
>> - only port 53 is currently inspected
>>
>>
>> Some hacks/doubts:
>>
>> - the logging output is quite verbose as each record (NS, A, SOA, etc)
>> is printed on a separate line
>>
>> - to support "alert dns" I had to hard code some mappings between dns
>> and dnsudp/dnstcp [1], need a better solution that we can also apply to
>> DCERPC
>>
>> - it seems that when we only use a probing parser, we're not registering
>> the protocol name [2]
>>
>> - if we're alerting in UDP app layer, some output modules get confused
>> as StreamSegmentForEach is called, but thats meant for TCP. Hacked
>> around it, but need a better solution. Affected are unified2 and prelude
>> at least.
> 
> Fixed this in master.
> 
>> - app layer events won't work correctly with UDP it seems. They alert,
>> but then keep on alerting in consecutive packets. Need to look into it.
>>
>> - memory management is suboptimal, alloc's are being done on a per
>> record basis and for TCP we alloc a 64k buffer to "reassemble" the full
>> record before parsing. Probably need pools here.
>>
>>
>> So... work in progress, but comments are welcome. Also in github
>> per-line review style.
> 
> Added a detection engine and keyword:
> 
> - content modifier "dns_query" that matches on the DNS query name
> - added /F pcre option to match on the same
> 
> MPM/fast_pattern support still missing at this point.
> 
> Again, comments, review, etc welcome.
> 

Updated: https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.2

Adds MPM/fast_pattern support for dns_query, fixes small issues.

Again, comments, review, etc welcome.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list