[Oisf-devel] Application Layer & DNS

Anoop Saldanha anoopsaldanha at gmail.com
Wed Jan 9 06:41:55 UTC 2013

On Tue, Jan 8, 2013 at 12:01 AM, Carl Soeder <csoeder at bbn.com> wrote:
> Hi,
> I want to add the capability for Suricata to check various fields in the
> content of a DNS packet such as invalid query class, invlaid query type,
> invalid response class, invlaid response type, time-to-live of cached RR
> below a certain threshold, invalid label character, …
> It seems the right way to do this may be to add an application layer module.
> Would you agree?

Yes.  An app layer parser for dns, like the one we have for http, smb,
smtp, tls, etc.

> I couldn’t find documentation about application layer modules on the web
> site. Is there any available?

Not sure if there are any.  But you can start by picking up one of the
protocols and see how it's implemented.  The parser files for protocol
are named are app-layer-*.[ch].  That's a good place to start.

> It appears an application layer module is triggered by packet content. I got
> this impression by looking at calls to AplProtoAdd. Is this correct?

The app layer module is called by our stream engine for tcp and udp by
the packet payload.  The stream engine would supply the reassembled
ack'd data to the app module.
AlpProtoAdd is used for automatic protocol detetcion which uses
patterns to detect protocols against the stream, in this the
reassembled stream supplied by the stream engine.

> Is
> there a way to trigger an application layer module based on port?

Yes.  Have a look at SMBProbingParser under app-layer-smb.c.  You can
register a protocol detection function against a particular
port-direction combination.

Anoop Saldanha

More information about the Oisf-devel mailing list