dns: add keywords for additionals and authorities names

Add keywords dns.additionals.name and dns.authorities.name. Along the way, consolidate dns.query.name and dns.answer.name into a single file and register them altogether since there is a lot of common code.
jasonish · Feb 19, 2025 · 667424f · 667424f
1 parent 658131c
commit 667424f
Show file tree

Hide file tree

Showing 9 changed files with 198 additions and 236 deletions.
diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst
@@ -7,22 +7,6 @@ matching on specific fields in DNS messages.
 Note that sticky buffers are expected to be followed by one or more
 :doc:`payload-keywords`.
 
-dns.answer.name
----------------
-
-``dns.answer.name`` is a sticky buffer that is used to look at the
-name field in DNS answer resource records.
-
-``dns.answer.name`` will look at both requests and responses, so
-``flow`` is recommended to confine to a specific direction.
-
-The buffer being matched on contains the complete re-assembled
-resource name, for example "www.suricata.io".
-
-``dns.answer.name`` supports :doc:`multi-buffer-matching`.
-
-``dns.answer.name`` was introduced in Suricata 8.0.0.
-
 dns.opcode
 ----------
 
@@ -177,6 +161,54 @@ resource name, for example "www.suricata.io".
 
 ``dns.query.name`` was introduced in Suricata 8.0.0.
 
+dns.answer.name
+---------------
+
+``dns.answer.name`` is a sticky buffer that is used to look at the
+name field in DNS answer resource records.
+
+``dns.answer.name`` will look at both requests and responses, so
+``flow`` is recommended to confine to a specific direction.
+
+The buffer being matched on contains the complete re-assembled
+resource name, for example "www.suricata.io".
+
+``dns.answer.name`` supports :doc:`multi-buffer-matching`.
+
+``dns.answer.name`` was introduced in Suricata 8.0.0.
+
+dns.authorities.rrname
+----------------------
+
+``dns.authorities.rrname`` is a sticky buffer that is used to look at the
+rrname field in DNS authority resource records.
+
+``dns.authorities.rrname`` will look at both requests and responses,
+so ``flow`` is recommended to confine to a specific direction.
+
+The buffer being matched on contains the complete re-assembled
+resource name, for example "www.suricata.io".
+
+``dns.authorities.rrname`` supports :doc:`multi-buffer-matching`.
+
+``dns.authorities.rrname`` was introduced in Suricata 8.0.0.
+
+dns.additionals.rrname
+----------------------
+
+``dns.additionals.rrname`` is a sticky buffer that is used to look at
+the rrname field in DNS additional resource records.
+
+``dns.additionals.rrname`` will look at both requests and responses,
+so ``flow`` is recommended to confine to a specific direction.
+
+The buffer being matched on contains the complete re-assembled
+resource name, for example "www.suricata.io".
+
+``dns.additionals.rrname`` supports :doc:`multi-buffer-matching`.
+
+``dns.additionals.rrname`` was introduced in Suricata 8.0.0.
+
 dns.response.rrname
 -------------------
 

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -112,13 +112,12 @@ noinst_HEADERS = \
 	detect-detection-filter.h \
 	detect-distance.h \
 	detect-dnp3.h \
-	detect-dns-answer-name.h \
+	detect-dns-name.h \
 	detect-dns-opcode.h \
 	detect-dns-rcode.h \
 	detect-dns-response.h \
 	detect-dns-rrtype.h \
 	detect-dns-query.h \
-	detect-dns-query-name.h \
 	detect-dsize.h \
 	detect-engine-address.h \
 	detect-engine-address-ipv4.h \
@@ -688,13 +687,12 @@ libsuricata_c_a_SOURCES = \
 	detect-detection-filter.c \
 	detect-distance.c \
 	detect-dnp3.c \
-	detect-dns-answer-name.c \
+	detect-dns-name.c \
 	detect-dns-opcode.c \
 	detect-dns-rcode.c \
 	detect-dns-response.c \
 	detect-dns-rrtype.c \
 	detect-dns-query.c \
-	detect-dns-query-name.c \
 	detect-dsize.c \
 	detect-engine-address.c \
 	detect-engine-address-ipv4.c \

diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c
diff --git a/src/detect-dns-answer-name.h b/src/detect-dns-answer-name.h
diff --git a/src/detect-dns-name.c b/src/detect-dns-name.c
@@ -0,0 +1,142 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * Detect keyword for DNS names:
+ * - dns.answer.name
+ * - dns.authorities.name
+ * - dns.additionals.name
+ */
+
+#include "detect.h"
+#include "detect-parse.h"
+#include "detect-engine.h"
+#include "detect-engine-content-inspection.h"
+#include "detect-engine-helper.h"
+#include "detect-dns-name.h"
+#include "rust.h"
+
+static int query_buffer_id = 0;
+static int answer_buffer_id = 0;
+static int authority_buffer_id = 0;
+static int additional_buffer_id = 0;
+
+static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str, int id)
+{
+    if (DetectBufferSetActiveList(de_ctx, s, id) < 0) {
+        return -1;
+    }
+    if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static int SetupQueryBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    return DetectSetup(de_ctx, s, str, query_buffer_id);
+}
+
+static int SetupAnswerBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    return DetectSetup(de_ctx, s, str, answer_buffer_id);
+}
+
+static int SetupAdditionalsBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    return DetectSetup(de_ctx, s, str, additional_buffer_id);
+}
+
+static int SetupAuthoritiesBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    return DetectSetup(de_ctx, s, str, authority_buffer_id);
+}
+
+static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
+        uint32_t index)
+{
+    InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
+    if (buffer == NULL) {
+        return NULL;
+    }
+    if (buffer->initialized) {
+        return buffer;
+    }
+
+    bool to_client = (flags & STREAM_TOSERVER) == 0;
+    const uint8_t *data = NULL;
+    uint32_t data_len = 0;
+
+    bool ok = false;
+    if (list_id == query_buffer_id) {
+        ok = SCDnsTxGetQueryName(txv, to_client, index, &data, &data_len);
+    } else if (list_id == answer_buffer_id) {
+        ok = SCDnsTxGetAnswerName(txv, to_client, index, &data, &data_len);
+    } else if (list_id == authority_buffer_id) {
+        ok = SCDnsTxGetAuthorityName(txv, index, &data, &data_len);
+    } else if (list_id == additional_buffer_id) {
+        ok = SCDnsTxGetAdditionalName(txv, index, &data, &data_len);
+    } else {
+        BUG_ON("invalid list id");
+    }
+
+    if (ok) {
+        InspectionBufferSetupMulti(buffer, transforms, data, data_len);
+        buffer->flags = DETECT_CI_FLAGS_SINGLE;
+        return buffer;
+    }
+
+    InspectionBufferSetupMultiEmpty(buffer);
+    return NULL;
+}
+
+static int Register(const char *keyword, const char *desc, const char *doc,
+        int (*Setup)(DetectEngineCtx *, Signature *, const char *))
+{
+    int keyword_id = SCDetectHelperNewKeywordId();
+    sigmatch_table[keyword_id].name = keyword;
+    sigmatch_table[keyword_id].desc = desc;
+    sigmatch_table[keyword_id].url = doc;
+    sigmatch_table[keyword_id].Setup = Setup;
+    sigmatch_table[keyword_id].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[keyword_id].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+
+    DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, GetBuffer, 2, 1);
+    DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, GetBuffer, 2, 1);
+
+    DetectBufferTypeSetDescriptionByName(keyword, keyword);
+    DetectBufferTypeSupportsMultiInstance(keyword);
+
+    return DetectBufferTypeGetByName(keyword);
+}
+
+void DetectDnsNameRegister(void)
+{
+    query_buffer_id = Register("dns.query.name", "DNS query name sticky buffer",
+            "/rules/dns-keywords.html#dns-query-name", SetupQueryBuffer);
+    answer_buffer_id = Register("dns.answer.name", "DNS answer name sticky buffer",
+            "/rules/dns-keywords.html#dns-answer-name", SetupAnswerBuffer);
+    additional_buffer_id =
+            Register("dns.additionals.rrname", "DNS additionals rrname sticky buffer",
+                    "/rules/dns-keywords.html#dns-additionals-rrname", SetupAdditionalsBuffer);
+    authority_buffer_id = Register("dns.authorities.rrname", "DNS authorities rrname sticky buffer",
+            "/rules/dns-keywords.html#dns-authorities-rrname", SetupAuthoritiesBuffer);
+}
diff --git a/src/detect-dns-query-name.h → src/detect-dns-name.h b/src/detect-dns-query-name.h → src/detect-dns-name.h
@@ -15,9 +15,9 @@
  * 02110-1301, USA.
  */
 
-#ifndef SURICATA_DETECT_DNS_QUERY_NAME_H
-#define SURICATA_DETECT_DNS_QUERY_NAME_H
+#ifndef SURICATA_DETECT_DNS_NAME_H
+#define SURICATA_DETECT_DNS_NAME_H
 
-void DetectDnsQueryNameRegister(void);
+void DetectDnsNameRegister(void);
 
-#endif /* SURICATA_DETECT_DNS_QUERY_NAME_H */
+#endif /* SURICATA_DETECT_DNS_NAME_H */