dns: add dns.rcode keyword v6 #10233
Conversation
hadiqaalamdar
requested review from
jasonish,
jufajardini and
victorjulien
as code owners
Feature OISF#6621 It matches the rcode field in DNS It's an unsigned integer match valid ranges = [0-23] Does not support prefilter Supports flow in client direction
hadiqaalamdar
force-pushed
the
detect-dns-rcode-6621-v6
branch
from
97cd65b to
a122126
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #10233 +/- ##
==========================================
+ Coverage 82.18% 82.22% +0.03%
==========================================
Files 977 978 +1
Lines 271894 272014 +120
==========================================
+ Hits 223465 223657 +192
+ Misses 48429 48357 -72
Flags with carried forward coverage won't be shown. Click here to find out more. |
| @@ -39,6 +39,7 @@ pub enum DetectUintMode { | |||
|
|
|||
| #[derive(Debug)] | |||
| #[repr(C)] | |||
| #[derive(PartialEq)] | |||
There was a problem hiding this comment.
You can merge lines like #[derive(Debug, PartialEq)]
| arg1: 4, | ||
| arg2: 0, | ||
| }, | ||
| (0b0000_0000_0000_0100 & 0xf) as u8, |
There was a problem hiding this comment.
Strange way to write 4
There was a problem hiding this comment.
should I remove this or change it to this (0b0000_0000_0000_0100) as u8,? The opcode code had something similar so that's why I wrote it like this.
There was a problem hiding this comment.
opcode did this because there was some bits shifting.
4u8 should be more readable
| return 0; | ||
| } | ||
| } else { | ||
| // Not to server or to client?? |
There was a problem hiding this comment.
You can assume this never happens (so else instead of else if flags & Direction::ToClient as u8 != 0)
| return 0; | ||
| }; | ||
|
|
||
| let rcode = (header_flags & 0xf) as u8; |
There was a problem hiding this comment.
@jasonish should we use tx.rcode() here ?
There was a problem hiding this comment.
And @hadiqaalamdar how can this be 23 ? cf commit message saying valid ranges = [0-23]
There was a problem hiding this comment.
@jasonish should we use
tx.rcode()here ?
That won't get you the rcode for a request, even if its odd to do so. Could extend it to, or just leave this as is for now.
There was a problem hiding this comment.
I'm sorry but I'm a bit confused. Please let me know if I should change something here?
There was a problem hiding this comment.
@jasonish is the owner of DNS knowledge and he said
just leave this as is for now.
|
|
||
| Match on DNS requests where the **rcode** is not between 7 and 15: | ||
|
|
||
| dns.rcode:!7-15; |
There was a problem hiding this comment.
This is not yet the case, and out of the scope of this PR I think
| sigmatch_table[DETECT_AL_DNS_RCODE].AppLayerTxMatch = DetectDnsRcodeMatch; | ||
|
|
||
| DetectAppLayerInspectEngineRegister( | ||
| "dns.rcode", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); |
There was a problem hiding this comment.
Why does the commit message say Supports flow in client direction ?
There was a problem hiding this comment.
Please correct me if I'm wrong but I think that while creating SV tests for dns rcode, someone had suggested that rcode is only sent in the client direction. If my understanding is correct should I remove "dns.rcode", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);?
There was a problem hiding this comment.
Please correct me if I'm wrong but I think that while creating SV tests for dns rcode, someone had suggested that rcode is only sent in the client direction. If my understanding is correct should I remove
"dns.rcode", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);?
That someone was me.
But Jason Ish, owner of DNS knowledge, said this keyword should work both ways.
To, the code is correct, but the commit message is not
| /* Copyright (C) 2019 Open Information Security Foundation | ||
| /* Copyright (C) 2024 Open Information Security Foundation |
There was a problem hiding this comment.
When updating copyright years for existing files, we keep the initial year, like so, in this case:
2019-2024
|
New PR: #10249 |
Feature #6621
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6621
Previous PR: #10203
Describe changes:
DetectUintData<u8>instead of simple u8doc/userguide/rules/dns-keywords.rstfile.SV_BRANCH=OISF/suricata-verify#1578