Skip to content

Dns over http2 5773 v16#11461

Closed
catenacyber wants to merge 9 commits into
OISF:masterfrom
catenacyber:dns-over-http2-5773-v16
Closed

Dns over http2 5773 v16#11461
catenacyber wants to merge 9 commits into
OISF:masterfrom
catenacyber:dns-over-http2-5773-v16

Conversation

@catenacyber
Copy link
Copy Markdown
Contributor

@catenacyber catenacyber commented Jul 9, 2024

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5773

Describe changes:

  • analyze DNS over HTTP2

SV_BRANCH=OISF/suricata-verify#1970

#11428 with DNS v3 logging, no longer a draft, cf last commit

Should there be a squash up of commits ?

@jasonish here for a DOH2 tx, we log a bidirectional HTTP2 transaction, and then if any, a DNS transaction, preferring the answer... What do you think about it ? This allows to keep the same format as for regular dns.
Another option would be to log two doh2 events : one for the DNS request and one for the DNS answer, with HTTP2 getting logged twice... not sure how it would work out for alerts...

@catenacyber
dns: prepare for dns over http2 support
5a7beb3 
by making tx parsing and creation more easily available,
without needing a dns state.

Dns event NotResponse is now set on the right tx, and not the one
before.

Also debug log for Z-flag on request says "request" instead of
"response"

Also rustfmt dns.rs
@catenacyber
http2: rustfmt
2396682
@catenacyber
http2: log dns if DoH is recognized
5263c4b 
Ticket: 5773
@catenacyber
doh: implement dns over http2 app-proto
0da0549 
Ticket: 5773
@catenacyber
doh: make dns and http keywords for doh2
732f0a2 
Ticket: 5773
@catenacyber
util/profiling: remove assertion
530d0d1 
Now a flow alproto can be changed by a call to AppLayerParserParse
when HTTP2 forces the flow to turn into DOH2.
@catenacyber
doh2: handle dns message in POST requests
7fbb6fe 
Ticket: 5773

Handles both directions the same way for data if content type is
application/dns-message
@catenacyber
doh: move fields into dedicated Optional struct
01a9762 
So as to consume less memory for HTTP2Transaction
@catenacyber
doh2: log like dns v3
6e9bb35
@catenacyber catenacyber requested review from a team, jasonish and victorjulien as code owners July 9, 2024 21:39
@catenacyber catenacyber mentioned this pull request Jul 9, 2024
Closed
@codecov
Copy link
Copy Markdown

codecov Bot commented Jul 9, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.80000% with 27 lines in your changes missing coverage. Please review.

Project coverage is 82.51%. Comparing base (090079c) to head (6e9bb35).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11461      +/-   ##
==========================================
- Coverage   82.52%   82.51%   -0.02%     
==========================================
  Files         938      938              
  Lines      248297   248533     +236     
==========================================
+ Hits       204917   205077     +160     
- Misses      43380    43456      +76
Flag Coverage Δ
fuzzcorpus 60.54% <64.26%> (+0.09%) ⬆️
livemode 18.68% <6.13%> (-0.02%) ⬇️
pcap 43.90% <79.73%> (+0.12%) ⬆️
suricata-verify 61.63% <85.06%> (+0.09%) ⬆️
unittests 59.39% <33.33%> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link
Copy Markdown

suricata-qa commented Jul 10, 2024

Information: QA ran without warnings.

Pipeline 21444

jasonish
jasonish reviewed Jul 10, 2024
View reviewed changes
Comment thread rust/src/dns/dns.rs
@jasonish
Copy link
Copy Markdown
Member

jasonish commented Jul 10, 2024

@jasonish here for a DOH2 tx, we log a bidirectional HTTP2 transaction, and then if any, a DNS transaction, preferring the answer... What do you think about it ? This allows to keep the same format as for regular dns.

Probably fine, as these are doh events, not dns event. Some thoughts tho:

  • will there be a doh3 at some point and so on?
  • DNS is valuable metadata, I wonder if spreading it over multiple event types will limit its usefulness. My head already hurts thinking about creating DNS reports that cover tradition DNS and DoH.

@victorjulien
Copy link
Copy Markdown
Member

victorjulien commented Jul 10, 2024

In dcerpc, we don't care if it comes over smb or udp/tcp directly, right? I feel dns records shouldn't be different regardless of their transport. It should be recognizable somehow as Dns over HTTP/2, Dns over HTTP, etc still, but that can be done in various ways.

@catenacyber
Copy link
Copy Markdown
Contributor Author

catenacyber commented Jul 10, 2024

So, you would want dns event instead of doh2
We know it is doh2 because this event has http object in it

@victorjulien
Copy link
Copy Markdown
Member

victorjulien commented Jul 11, 2024

So, you would want dns event instead of doh2 We know it is doh2 because this event has http object in it

Yeah that sounds good.

@catenacyber catenacyber mentioned this pull request Jul 15, 2024
Closed
@catenacyber
Copy link
Copy Markdown
Contributor Author

catenacyber commented Jul 15, 2024

Thanks

Continued in #11498

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish jasonish left review comments

@victorjulien victorjulien Awaiting requested review from victorjulien

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@catenacyber @suricata-qa @jasonish @victorjulien