dns: multibuffer support for dns.response.answer.name

jasonish · Oct 26, 2023 · 1636c69 · 1636c69
1 parent c0d88e3
commit 1636c69
Showing 1 changed file with 45 additions and 9 deletions.
diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c
@@ -41,11 +41,15 @@ void DetectDnsResponseAnswerNameRegister(void)
     sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].desc = "DNS answer name sticky buffer";
     sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].Setup = DetectSetup;
     sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
     /* register inspect engines */
     DetectAppLayerInspectEngineRegister(
             keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectCb, NULL);
 
+    DetectBufferTypeSetDescriptionByName(keyword, "dns response answer name");
+    DetectBufferTypeSupportsMultiInstance(keyword);
+
     dns_response_answer_name_id = DetectBufferTypeGetByName(keyword);
 }
 
@@ -59,23 +63,55 @@ static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
     return 0;
 }
 
+static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, void *txv, uint32_t index, int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
+    if (buffer == NULL) {
+        return NULL;
+    }
+    if (buffer->initialized) {
+        return buffer;
+    }
+
+    const uint8_t *data = NULL;
+    uint32_t data_len = 0;
+
+    if (!SCDnsTxGetAnswerName(txv, index, &data, &data_len)) {
+        InspectionBufferSetupMultiEmpty(buffer);
+        return NULL;
+    } else {
+        InspectionBufferSetupMulti(buffer, transforms, data, data_len);
+        return buffer;
+    }
+}
+
 static uint8_t DetectEngineInspectCb(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
         const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
         uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 {
-    uint8_t ret = 0;
-    const uint8_t *data = NULL;
-    uint32_t data_len = 0;
+    const DetectEngineTransforms *transforms = NULL;
+    if (!engine->mpm) {
+        transforms = engine->v2.transforms;
+    }
 
     for (uint32_t i = 0;; i++) {
-        if (!SCDnsTxGetAnswerName(txv, i, &data, &data_len)) {
+        InspectionBuffer *buffer = GetBuffer(det_ctx, transforms, txv, i, engine->sm_list);
+        if (buffer == NULL || buffer->inspect == NULL) {
             break;
         }
-        ret = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
-                (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
-                DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+
+        det_ctx->buffer_offset = 0;
+        det_ctx->discontinue_matching = 0;
+        det_ctx->inspection_recursion_counter = 0;
+
+        const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+                (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+                DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+        if (match == 1) {
+            return DETECT_ENGINE_INSPECT_SIG_MATCH;
+        }
     }
 
-    SCLogNotice("Returning %d.", ret);
-    return ret;
+    return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
 }