dns: more keywords; plus some eve/keyword parity tooling - v6 #12652
Conversation
jasonish
requested review from
jufajardini,
victorjulien and
a team
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12652 +/- ##
==========================================
+ Coverage 80.77% 80.80% +0.02%
==========================================
Files 932 932
Lines 259517 259758 +241
==========================================
+ Hits 209629 209895 +266
+ Misses 49888 49863 -25
Flags with carried forward coverage won't be shown. Click here to find out more. |
Feature: 7012 Add dns.response sticky buffer to match on dns response fields. Add rust functions to return dns response packet data. Unit tests verifying signature matching.
Feature: 7012
This is a better name as the keyword is looking at all rrname type fields in the response.
These arrays are manually formatted for readability.
Make the function safe by returning a reference to the DNSName object, the unsafe C wrapper can do the conversion to pointers.
Split DetectHelperKeywordRegister into 2 functions, one for acquiring a new keyword ID, and another to perform the registration. This makes it easier to do the traditional C keyword initialization with a dynamic ID.
Add keywords dns.additionals.rrname and dns.authorities.rrname. Along the way, consolidate dns.query.name and dns.answer.name into a single file and register them altogether since there is a lot of common code.
Should have coverage by S-V now.
jasonish
force-pushed
the
ish/dns/feat-7012/v6
branch
from
b2b35ed to
762e73e
Compare
|
Information: QA ran without warnings. Pipeline 24853 |
|
Information: QA ran without warnings. Pipeline 24856 |
| "type": "integer" | ||
| "type": "integer", | ||
| "suricata": { | ||
| "keywords": false |
There was a problem hiding this comment.
Is it good to have this suricata.keyword that can either be a boolean or an array ?
There was a problem hiding this comment.
I'm ok with it, unless its going into something the hardcodes a schema based on whats first seen., so not in eve. Prevents conflict with another field as well..
"keywords": ["one", "two"],
"no-keywords": "true",
| SCFree(ptr); | ||
| } | ||
|
|
||
| static int DetectDnsResponsePrefilterMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, |
There was a problem hiding this comment.
Why do we need a specific stuff here ?
Do not we get prefilter for all sticky buffers from the generic engine ?
There was a problem hiding this comment.
Do not we get prefilter for all sticky buffers from the generic engine ?
Are you asking? If so, I'm not sure.
| InspectionBuffer *buffer = | ||
| GetBuffer(det_ctx, flags, transforms, txv, &cbdata, engine->sm_list, false); | ||
| if (buffer == NULL || buffer->inspect == NULL) { | ||
| local_id++; |
There was a problem hiding this comment.
Do we need local_id++ if we break right after ?
There was a problem hiding this comment.
Nevermind, we're only breaking the inner loop, its still needed by the outer loop.
|
Replaced by #12664 |
This PR builds on #12500 and also adds the following keywords:
dns.additionals.rrnamedns.authorities.rrnameIt builds on dns: add keyword for dns.response.rrname (feat 7012) - v2 #12500 and it uses functions introduced as part of the work for
dns.response.rrname.To provide consistency and better eve parity the following keywords were renamed:
dns.query.rrname->dns.queries.rrnamedns.answer.rrname->dns.answers.rrnameAnd finally, as using DNS as a test protocol for parity, try some tooling for eve parity.
For example,
./scripts/eve-parity.py mapped-keywords:and
./scripts/eve-parity.py unmapped-fields | grep dns:and new in this version:
unmapped-keywordsto show known keywords that arenot mapped in the eve.json.
Other changes:
SV_BRANCH=OISF/suricata-verify#2311