Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[draft] more dns keywords - v4 #12641

Closed
wants to merge 10 commits into from
Closed

[draft] more dns keywords - v4 #12641

wants to merge 10 commits into from

Conversation

jasonish
Copy link
Member

Draft for coverage report.

scrivs86 and others added 10 commits February 20, 2025 12:24
@scrivs86 @jasonish
dns: add dns.response sticky buffer
6e4c06f 
Feature: 7012
Add dns.response sticky buffer to match on dns response fields.
Add rust functions to return dns response packet data.
Unit tests verifying signature matching.
@scrivs86 @jasonish
doc/userguide: document dns.response
56063a6 
Feature: 7012
@jasonish
dns: rename dns.response keyword to dns.response.rrname
4b3a810 
This is a better name as the keyword is looking at all rrname type
fields in the response.
@jasonish
detect-dns-response: disable clang-format around byte arrays
66d2371 
These arrays are manually formatted for readability.
@jasonish
dns: refactor function to get rrname to be safe
6d178ef 
Make the function safe by returning a reference to the DNSName object,
the unsafe C wrapper can do the conversion to pointers.
@jasonish
detect: split new keyword id from registration
8054a5d 
Split DetectHelperKeywordRegister into 2 functions, one for acquiring
a new keyword ID, and another to perform the registration.

This makes it easier to do the traditional C keyword initialization
with a dynamic ID.
@jasonish
dns: add keywords for additionals and authorities rrnames
50de264 
Add keywords dns.additionals.rrname and dns.authorities.rrname. Along
the way, consolidate dns.query.name and dns.answer.name into a single file
and register them altogether since there is a lot of common code.
@jasonish
schema: add an object for mapping fields to keywords
d4a2e55 
To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: OISF#5642, OISF#6463, OISF#4772
@jasonish
script/eve-parity: add script for checking eve/keyword parity
7c77745 
Currently this script has two commands: "missing" and "having".

"missing" will show eve fields that do not map to any keywords.

"having" will sohw eve fields along with their keyword mappsings,
while also validating that those keywords really exist.

Related to tickets: OISF#6463, OISF#4772
@jasonish
wip: disable tests for coverage check
9fbdf55
@jasonish jasonish closed this Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini will be requested when the pull request is marked ready for review jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jasonish @scrivs86