-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dns over http2 5773 v2.1 #10040
Dns over http2 5773 v2.1 #10040
Conversation
by making tx parsing and creation more easily available, without needing a dns state. Dns event NotResponse is now set on the right tx, and not the one before. Also debug log for Z-flag on request says "request" instead of "response" Also rustfmt dns.rs
Ticket: 5773
Ticket: 5773
Ticket: 5773
https://redmine.openinfosecfoundation.org/issues/6281 It appears I started this but then got sidetracked. |
return (alproto == ALPROTO_DOH2) || (alproto == ALPROTO_DNS); | ||
case ALPROTO_HTTP2: | ||
return (alproto == ALPROTO_DOH2) || (alproto == ALPROTO_HTTP2); | ||
case ALPROTO_DOH2: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to check if this case is needed
Ah, yes. I'm waiting for this to be approved #9920, as I want to build on the unification of request and response into a simple DNS message struct. |
Information: QA ran without warnings. Pipeline 17024 |
So #9920 was merged as #10045 and now you can work on https://redmine.openinfosecfoundation.org/issues/6281 before I fix this PR by using the fixed logging for dns over HTTP2. Am I understanding correctly @jasonish ? |
Yes, but it might take a bit longer than just the code. There is some discussion over adding a new version to the DNS objects, or do we just tack on the Suricata version and let downstream alert consumers deal with it with no compatibility option. |
Continued in #10114 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5773
Describe changes:
OISF/suricata-verify#1540
Draft to get feedback about approach...
Leaving comments on the code for specific questions
TODO :
@jasonish why is DNS not logging the same thing for alerts and dns events ?
That is why do we log multiple dns events for a single packet having multiple queries, and one alert will have an array in .dns.query with the same data
Same goes for answers and it turns out the schema is incomplete because everything in dns needs to be put in
./dns/answer
likeauthorities
andgrouped
Functionnaly, in terms of output :
doh2
as app_proto (andhttp2
asapp_proto_orig
)doh2
events that have both http2 and dns fields. dns logging is done like alerts, not like dns events...Memory management
API