Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

dns: improved handling of corrupt additionals #11746

Closed
wants to merge 1 commit into from
Closed

dns: improved handling of corrupt additionals #11746

wants to merge 1 commit into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7228

Describe changes:

  • dns: improved handling of corrupt additionals

Provide values to any of the below to override the defaults.

SV_BRANCH=OISF/suricata-verify#2032

@catenacyber
dns: improved handling of corrupt additionals
ce307a1 
Ticket: 7228

That means log the rest of queries and answers, even if the
final field additionals is corrupt.
Set an event in this case.
@catenacyber catenacyber requested review from jasonish and a team as code owners September 10, 2024 13:33
@victorjulien
Copy link
Member

Not sure I fully understand. Is this about logging a partial corrupt message?

@codecov Codecov
Copy link

codecov bot commented Sep 10, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.63%. Comparing base (79aa486) to head (ce307a1).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #11746   +/-   ##
=======================================
  Coverage   82.63%   82.63%           
=======================================
  Files         919      919           
  Lines      248943   248951    +8     
=======================================
+ Hits       205716   205724    +8     
  Misses      43227    43227
Flag Coverage Δ
fuzzcorpus 60.86% <100.00%> (+<0.01%) ⬆️
livemode 18.72% <0.00%> (-0.04%) ⬇️
pcap 44.02% <88.88%> (-0.15%) ⬇️
suricata-verify 61.88% <88.88%> (+0.01%) ⬆️
unittests 59.01% <66.66%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@catenacyber
Copy link
Contributor Author

Is this about logging a partial corrupt message?

yes

@jasonish
Copy link
Member

Not sure I fully understand. Is this about logging a partial corrupt message?

If the "additionals" are corrupt, the whole message fails to parse, so the tx isn't logged at all. I think the idea here is that we should log what we can.

jasonish
jasonish reviewed Sep 10, 2024
View reviewed changes
rules/dns-events.rules
@@ -8,3 +8,4 @@ alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client;
# Z flag (reserved) not 0
alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;)
alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;)
alert dns any any -> any any (msg:"SURICATA DNS corrupt additionals"; app-layer-event:dns.corrupt_additionals; classtype:protocol-command-decode; sid:2240008; rev:1;)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we use invalid usually?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will update

jasonish
jasonish reviewed Sep 10, 2024
View reviewed changes
rust/src/dns/parser.rs
Comment on lines 363 to +365
let (i, answers) = dns_parse_answer(i, message, header.answer_rr as usize)?;
let (i, authorities) = dns_parse_answer(i, message, header.authority_rr as usize)?;
let (i, additionals) = dns_parse_answer(i, message, header.additional_rr as usize)?;
let additionals_parsed = dns_parse_answer(i, message, header.additional_rr as usize);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the same logic be applied to answers and authorities as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks a good idea. I began with the last one

@suricata-qa
Copy link

ERROR:

ERROR: QA failed on SURI_TLPR1_alerts_cmp.

Pipeline 22502

@catenacyber catenacyber mentioned this pull request Sep 11, 2024
Closed
@catenacyber
Copy link
Contributor Author

Continued in #11752

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jasonish jasonish jasonish left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@catenacyber @victorjulien @jasonish @suricata-qa