Skip to content

Comments

Dns over http2 5773 v12#11292

Closed
catenacyber wants to merge 7 commits intoOISF:masterfrom
catenacyber:dns-over-http2-5773-v12
Closed

Dns over http2 5773 v12#11292
catenacyber wants to merge 7 commits intoOISF:masterfrom
catenacyber:dns-over-http2-5773-v12

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Jun 11, 2024

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5773

Describe changes:

  • analyze DNS over HTTP2

SV_BRANCH=OISF/suricata-verify#1734

Draft to get feedback about approach...

#11242 with needed rebase

TODO :

Functionnaly, in terms of output :

  • The flow will have doh2 as app_proto (and http2 as app_proto_orig)
  • There are doh2 events that have both http2 and dns fields. dns logging is done like alerts, not like dns events...
  • DNS and HTTP and HTTP2 signatures work on DOH2
  • Signatures can be DOH2 specific. These signatures can combine http, http2 and dns keywords.
  • DNS Frames do not work on DoH2

Memory management

  • a HTTP2 tx can own 2 DNS tx (one to client, one to server)
  • a HTTP2 tx stores the streamed DNS response content until it is complete before parsing it (limiting to U16_MAX bytes)

API

  • There is a new DOH2 app-layer protocol which resorts to HTTP2 for most of the things
  • HTTP2 parsing discovering DOH2 changes the app_proto to DOH2, doh2 can be enabled or disabled in suricata.yaml config
  • There are more alproto "comparison" functions
  • Every DNS keyword needs to check the flow alproto to change the transaction
  • Every DNS/HTTP keyword is automatically registered for DOH2 (hacking DetectAppLayerMpmRegister2...

@catenacyber
dns: prepare for dns over http2 support
713a6a7 
by making tx parsing and creation more easily available,
without needing a dns state.

Dns event NotResponse is now set on the right tx, and not the one
before.

Also debug log for Z-flag on request says "request" instead of
"response"

Also rustfmt dns.rs
@catenacyber
http2: rustfmt
33d7a91
@catenacyber
http2: log dns if DoH is recognized
0c422db 
Ticket: 5773
@catenacyber
doh: implement dns over http2 app-proto
2ae7bb7 
Ticket: 5773
@catenacyber
doh: make dns and http keywords for doh2
94c706b 
Ticket: 5773
@catenacyber
util/profiling: remove assertion
e90afd9 
Now a flow alproto can be changed by a call to AppLayerParserParse
when HTTP2 forces the flow to turn into DOH2.
@catenacyber
doh2: handle dns message in POST requests
ba994b5 
Ticket: 5773

Handles both directions the same way for data if content type is
application/dns-message
@catenacyber catenacyber mentioned this pull request Jun 11, 2024
Closed
@suricata-qa
Copy link

suricata-qa commented Jun 11, 2024

Information: QA ran without warnings.

Pipeline 21055

victorjulien
victorjulien reviewed Jun 21, 2024
View reviewed changes
rust/src/http2/http2.rs Outdated
pub req_line: Vec<u8>,
pub resp_line: Vec<u8>,

is_doh_response: bool,
Copy link
Member

@victorjulien victorjulien Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this all be wrapped in an Option? It seems like a large expansion of the http/2 tx

Copy link
Contributor Author

@catenacyber catenacyber Jun 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a good idea, will try to improve on it

victorjulien
victorjulien reviewed Jun 21, 2024
View reviewed changes
rust/src/http2/logger.rs
js.open_array("query")?;
for i in 0..0xFFFF {
let mut jsa = JsonBuilder::try_new_object()?;
if !SCDnsLogJsonQuery(dtx, i, 0xFFFFFFFFFFFFFFFF, &mut jsa) {
Copy link
Member

@victorjulien victorjulien Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what are these 0xFFFFFFFFFFFFFFFF uses, looks not very nice

Copy link
Contributor Author

@catenacyber catenacyber Jun 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed not very nice, this PR is still a draft waiting for the dns log overhaul in https://redmine.openinfosecfoundation.org/issues/6281 to do the same thing...

victorjulien
victorjulien reviewed Jun 21, 2024
View reviewed changes
src/detect-dns-answer-name.c
return buffer;
}

if (f->alproto == ALPROTO_DOH2) {
Copy link
Member

@victorjulien victorjulien Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we hide this behind this a single (inline?) call in all places?

Copy link
Contributor Author

@catenacyber catenacyber Jun 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will try to make it nicer...

@victorjulien
Copy link
Member

victorjulien commented Jun 21, 2024

looks good overall. Some comments inline.

@catenacyber catenacyber mentioned this pull request Jun 25, 2024
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Jun 25, 2024

Continues in #11369

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien victorjulien left review comments

Assignees

@victorjulien victorjulien

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@catenacyber @suricata-qa @victorjulien