-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dns over http2 5773 v12 #11292
Dns over http2 5773 v12 #11292
Conversation
by making tx parsing and creation more easily available, without needing a dns state. Dns event NotResponse is now set on the right tx, and not the one before. Also debug log for Z-flag on request says "request" instead of "response" Also rustfmt dns.rs
Ticket: 5773
Ticket: 5773
Ticket: 5773
Now a flow alproto can be changed by a call to AppLayerParserParse when HTTP2 forces the flow to turn into DOH2.
Ticket: 5773 Handles both directions the same way for data if content type is application/dns-message
Information: QA ran without warnings. Pipeline 21055 |
rust/src/http2/http2.rs
Outdated
@@ -146,6 +149,12 @@ pub struct HTTP2Transaction { | |||
pub escaped: Vec<Vec<u8>>, | |||
pub req_line: Vec<u8>, | |||
pub resp_line: Vec<u8>, | |||
|
|||
is_doh_response: bool, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this all be wrapped in an Option? It seems like a large expansion of the http/2 tx
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a good idea, will try to improve on it
js.open_array("query")?; | ||
for i in 0..0xFFFF { | ||
let mut jsa = JsonBuilder::try_new_object()?; | ||
if !SCDnsLogJsonQuery(dtx, i, 0xFFFFFFFFFFFFFFFF, &mut jsa) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what are these 0xFFFFFFFFFFFFFFFF uses, looks not very nice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed not very nice, this PR is still a draft waiting for the dns log overhaul in https://redmine.openinfosecfoundation.org/issues/6281 to do the same thing...
@@ -56,6 +56,12 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, | |||
return buffer; | |||
} | |||
|
|||
if (f->alproto == ALPROTO_DOH2) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we hide this behind this a single (inline?) call in all places?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will try to make it nicer...
looks good overall. Some comments inline. |
Continues in #11369 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5773
Describe changes:
SV_BRANCH=OISF/suricata-verify#1734
Draft to get feedback about approach...
#11242 with needed rebase
TODO :
Functionnaly, in terms of output :
doh2
as app_proto (andhttp2
asapp_proto_orig
)doh2
events that have both http2 and dns fields. dns logging is done like alerts, not like dns events...Memory management
API