Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

fix issue with null values in DNS data #104

Merged
merged 1 commit into from
Mar 27, 2023
Merged

fix issue with null values in DNS data #104

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions input/input_stdin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package input

// DCSO FEVER
// Copyright (c) 2020, DCSO GmbH
// Copyright (c) 2020, 2023, DCSO GmbH

import (
"bufio"
Expand All @@ -14,7 +14,7 @@ import (
log "github.com/sirupsen/logrus"
)

// StdinInput is an Input reading JSON EVE input from a Unix socket.
// StdinInput is an Input reading JSON EVE input from standard input.
type StdinInput struct {
EventChan chan types.Entry
Verbose bool
Expand Down
82 changes: 51 additions & 31 deletions util/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
package util

// DCSO FEVER
// Copyright (c) 2017, 2018, 2020, DCSO GmbH
// Copyright (c) 2017, 2023, DCSO GmbH

import (
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/json"
"fmt"
"io/ioutil"
"math/rand"
"os"
Expand Down Expand Up @@ -71,7 +72,7 @@ func ParseJSON(json []byte) (e types.Entry, parseerr error) {
return
}
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
// skip null fields; these will not be handled by the low-level
Expand All @@ -83,23 +84,23 @@ func ParseJSON(json []byte) (e types.Entry, parseerr error) {
case 0:
e.EventType, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 1:
e.SrcIP = string(value[:])
case 2:
e.SrcPort, err = jsonparser.ParseInt(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 3:
e.DestIP = string(value[:])
case 4:
e.DestPort, err = jsonparser.ParseInt(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 5:
Expand All @@ -109,85 +110,85 @@ func ParseJSON(json []byte) (e types.Entry, parseerr error) {
case 7:
e.BytesToClient, err = jsonparser.ParseInt(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 8:
e.BytesToServer, err = jsonparser.ParseInt(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 9:
e.HTTPHost, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 10:
e.HTTPUrl, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 11:
e.HTTPMethod, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 12:
e.DNSRRName, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 13:
e.PktsToClient, err = jsonparser.ParseInt(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 14:
e.PktsToServer, err = jsonparser.ParseInt(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 15:
e.DNSRCode, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 16:
e.DNSRData, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 17:
e.DNSRRType, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 18:
e.DNSType, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 19:
e.TLSSNI, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 20:
e.DNSVersion, err = jsonparser.ParseInt(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 21:
Expand All @@ -200,25 +201,44 @@ func ParseJSON(json []byte) (e types.Entry, parseerr error) {
return
}
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
if bytes.Equal(mvalue, []byte("null")) {
return
}
rdata, merr = jsonparser.GetString(mvalue, "rdata")
if merr != nil {
if merr != jsonparser.KeyPathNotFoundError {
parseerr = merr
return
// We do not want to report errors caused by the
// parser not being able to parse "null" values.
// In this case it would report the message
// "Value is not a string: null".
if !strings.Contains(merr.Error(), "null") {
parseerr = merr
return
}
}
}
rrname, merr = jsonparser.GetString(mvalue, "rrname")
if merr != nil {
parseerr = merr
return
if merr != jsonparser.KeyPathNotFoundError {
// See above.
if !strings.Contains(merr.Error(), "null") {
parseerr = merr
return
}
}
}
rrtype, merr = jsonparser.GetString(mvalue, "rrtype")
if merr != nil {
parseerr = merr
return
if merr != jsonparser.KeyPathNotFoundError {
// See above.
if !strings.Contains(merr.Error(), "null") {
parseerr = merr
return
}
}
}
dnsa := types.DNSAnswer{
DNSRCode: e.DNSRCode,
Expand All @@ -230,31 +250,31 @@ func ParseJSON(json []byte) (e types.Entry, parseerr error) {
})
}
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 22:
e.FlowID, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 23:
e.Iface, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 24:
e.AppProto, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
case 25:
e.TLSFingerprint, err = jsonparser.ParseString(value)
if err != nil {
parseerr = err
parseerr = fmt.Errorf("%d: %w", idx, err)
return
}
}
Expand Down