From ee22215e3dfc5b19ddd16f5530a77041ce0a1b48 Mon Sep 17 00:00:00 2001 From: Henry Aidan Leta Date: Mon, 24 Oct 2022 16:31:49 -0400 Subject: [PATCH 1/7] add cname dissection to ndpi dns --- src/lib/protocols/dns.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 7a4492f813f..99a22183146 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -304,18 +304,19 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, if((x + data_len) <= packet->payload_packet_len) { // printf("[rsp_type: %u][data_len: %u]\n", rsp_type, data_len); - - if(rsp_type == 0x05 /* CNAME */) { + /* + if(rsp_type == 0x05 // CNAME ) { x += data_len; - continue; /* Skip CNAME */ + continue; // Skip CNAME } + */ if((((rsp_type == 0x1) && (data_len == 4)) /* A */ || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ )) { memcpy(&flow->protos.dns.rsp_addr, packet->payload + x, data_len); } - else if (rsp_type == 0x0c) + else if (rsp_type == 0x0c || rsp_type == 0x05) // revers { // reverse dns lookup responses can have an address label as well as additional domain name labels @@ -330,7 +331,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, // if first char is number this is an address // number can't be first char in domain name // we only want to check the first label for an ip address - if (packet->payload[x+1] >= 0x30 && packet->payload[x+1] <= 0x39 && an_index == 0) + if (packet->payload[x+1] >= 0x30 && packet->payload[x+1] <= 0x39 && an_index == 0 && rsp_type == 0x0c) // only perform this check on PTR records { x += label_len + 1; // skip label len + address field } From e405b6ad681d15a149b7e0a48302d34a9b36ef0b Mon Sep 17 00:00:00 2001 From: Henry Aidan Leta Date: Mon, 24 Oct 2022 16:34:40 -0400 Subject: [PATCH 2/7] remove logic to skip cname processing --- src/lib/protocols/dns.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 99a22183146..0343ccd4584 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -304,12 +304,6 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, if((x + data_len) <= packet->payload_packet_len) { // printf("[rsp_type: %u][data_len: %u]\n", rsp_type, data_len); - /* - if(rsp_type == 0x05 // CNAME ) { - x += data_len; - continue; // Skip CNAME - } - */ if((((rsp_type == 0x1) && (data_len == 4)) /* A */ || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ From a4ec4f778da379be30a3455cabb6c05669057b83 Mon Sep 17 00:00:00 2001 From: Henry Aidan Leta Date: Mon, 24 Oct 2022 16:35:40 -0400 Subject: [PATCH 3/7] comments --- src/lib/protocols/dns.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 0343ccd4584..ab98e27416c 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -310,7 +310,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, )) { memcpy(&flow->protos.dns.rsp_addr, packet->payload + x, data_len); } - else if (rsp_type == 0x0c || rsp_type == 0x05) // revers + else if (rsp_type == 0x0c || rsp_type == 0x05) // reverse dns lookup and cname record processing { // reverse dns lookup responses can have an address label as well as additional domain name labels From 0756da3a906af8ddeb8eefa188e40fba21e13f84 Mon Sep 17 00:00:00 2001 From: Henry Aidan Leta Date: Tue, 25 Oct 2022 10:44:29 -0400 Subject: [PATCH 4/7] spacing adjustments --- src/lib/protocols/dns.c | 70 ++++++++++++++++++++--------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index ab98e27416c..9c0793eb2e3 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -310,41 +310,41 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, )) { memcpy(&flow->protos.dns.rsp_addr, packet->payload + x, data_len); } - else if (rsp_type == 0x0c || rsp_type == 0x05) // reverse dns lookup and cname record processing - { - - // reverse dns lookup responses can have an address label as well as additional domain name labels - // since we already have the address from the query we just need the domain name - // we only process the first answer and grab its domain name - int an_index = 0; - // make sure to exit loop if x is a 00 octet or x exceeds the packet payload length or the length octet has first 2 bits set (domain name compressed) - while((packet->payload[x] != '\0') && (x < packet->payload_packet_len) && (packet->payload[x] < 0x40)) // normal length octets can't be greater than 63 chars total 64 chars 1 for the length octet itself leaves 63 - { - int label_len = packet->payload[x]; // get 1st label len - - // if first char is number this is an address - // number can't be first char in domain name - // we only want to check the first label for an ip address - if (packet->payload[x+1] >= 0x30 && packet->payload[x+1] <= 0x39 && an_index == 0 && rsp_type == 0x0c) // only perform this check on PTR records - { - x += label_len + 1; // skip label len + address field - } - else - { - if (an_index + label_len < (int)(sizeof(flow->protos.dns.answer_domain)-1)) - { - strncat(flow->protos.dns.answer_domain, (char *)packet->payload + x + 1, label_len); // copy label section into string field - an_index += label_len; // increment index - flow->protos.dns.answer_domain[an_index] = '.'; // delimeter between label sections - an_index++; // increment index for delimeter - x += label_len + 1; // skip label len + address field - } - else - break; - } - } - flow->protos.dns.answer_domain[an_index - 1] = '\0'; // remove trailing '.' char and replace with null term - } + else if (rsp_type == 0x0c || rsp_type == 0x05) // reverse dns lookup and cname record processing + { + + // reverse dns lookup responses can have an address label as well as additional domain name labels + // since we already have the address from the query we just need the domain name + // we only process the first answer and grab its domain name + int an_index = 0; + // make sure to exit loop if x is a 00 octet or x exceeds the packet payload length or the length octet has first 2 bits set (domain name compressed) + while((packet->payload[x] != '\0') && (x < packet->payload_packet_len) && (packet->payload[x] < 0x40)) // normal length octets can't be greater than 63 chars total 64 chars 1 for the length octet itself leaves 63 + { + int label_len = packet->payload[x]; // get 1st label len + + // if first char is number this is an address + // number can't be first char in domain name + // we only want to check the first label for an ip address + if (packet->payload[x+1] >= 0x30 && packet->payload[x+1] <= 0x39 && an_index == 0 && rsp_type == 0x0c) // only perform this check on PTR records + { + x += label_len + 1; // skip label len + address field + } + else + { + if (an_index + label_len < (int)(sizeof(flow->protos.dns.answer_domain)-1)) + { + strncat(flow->protos.dns.answer_domain, (char *)packet->payload + x + 1, label_len); // copy label section into string field + an_index += label_len; // increment index + flow->protos.dns.answer_domain[an_index] = '.'; // delimeter between label sections + an_index++; // increment index for delimeter + x += label_len + 1; // skip label len + address field + } + else + break; + } + } + flow->protos.dns.answer_domain[an_index - 1] = '\0'; // remove trailing '.' char and replace with null term + } } } From 201549354b1dbedc1b5f47943307f47977134810 Mon Sep 17 00:00:00 2001 From: Henry Aidan Leta Date: Tue, 25 Oct 2022 10:46:49 -0400 Subject: [PATCH 5/7] spacing adjustments again --- src/lib/protocols/dns.c | 64 ++++++++++++++++++++--------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 9c0793eb2e3..17b77155e93 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -313,38 +313,38 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, else if (rsp_type == 0x0c || rsp_type == 0x05) // reverse dns lookup and cname record processing { - // reverse dns lookup responses can have an address label as well as additional domain name labels - // since we already have the address from the query we just need the domain name - // we only process the first answer and grab its domain name - int an_index = 0; - // make sure to exit loop if x is a 00 octet or x exceeds the packet payload length or the length octet has first 2 bits set (domain name compressed) - while((packet->payload[x] != '\0') && (x < packet->payload_packet_len) && (packet->payload[x] < 0x40)) // normal length octets can't be greater than 63 chars total 64 chars 1 for the length octet itself leaves 63 - { - int label_len = packet->payload[x]; // get 1st label len - - // if first char is number this is an address - // number can't be first char in domain name - // we only want to check the first label for an ip address - if (packet->payload[x+1] >= 0x30 && packet->payload[x+1] <= 0x39 && an_index == 0 && rsp_type == 0x0c) // only perform this check on PTR records - { - x += label_len + 1; // skip label len + address field - } - else - { - if (an_index + label_len < (int)(sizeof(flow->protos.dns.answer_domain)-1)) - { - strncat(flow->protos.dns.answer_domain, (char *)packet->payload + x + 1, label_len); // copy label section into string field - an_index += label_len; // increment index - flow->protos.dns.answer_domain[an_index] = '.'; // delimeter between label sections - an_index++; // increment index for delimeter - x += label_len + 1; // skip label len + address field - } - else - break; - } - } - flow->protos.dns.answer_domain[an_index - 1] = '\0'; // remove trailing '.' char and replace with null term - } + // reverse dns lookup responses can have an address label as well as additional domain name labels + // since we already have the address from the query we just need the domain name + // we only process the first answer and grab its domain name + int an_index = 0; + // make sure to exit loop if x is a 00 octet or x exceeds the packet payload length or the length octet has first 2 bits set (domain name compressed) + while((packet->payload[x] != '\0') && (x < packet->payload_packet_len) && (packet->payload[x] < 0x40)) // normal length octets can't be greater than 63 chars total 64 chars 1 for the length octet itself leaves 63 + { + int label_len = packet->payload[x]; // get 1st label len + + // if first char is number this is an address + // number can't be first char in domain name + // we only want to check the first label for an ip address + if (packet->payload[x+1] >= 0x30 && packet->payload[x+1] <= 0x39 && an_index == 0 && rsp_type == 0x0c) // only perform this check on PTR records + { + x += label_len + 1; // skip label len + address field + } + else + { + if (an_index + label_len < (int)(sizeof(flow->protos.dns.answer_domain)-1)) + { + strncat(flow->protos.dns.answer_domain, (char *)packet->payload + x + 1, label_len); // copy label section into string field + an_index += label_len; // increment index + flow->protos.dns.answer_domain[an_index] = '.'; // delimeter between label sections + an_index++; // increment index for delimeter + x += label_len + 1; // skip label len + address field + } + else + break; + } + } + flow->protos.dns.answer_domain[an_index - 1] = '\0'; // remove trailing '.' char and replace with null term + } } } From 02e174a398661da545c1d2cff3168c4162ad2917 Mon Sep 17 00:00:00 2001 From: Henry Aidan Leta Date: Tue, 25 Oct 2022 10:47:51 -0400 Subject: [PATCH 6/7] spacing adjustments final --- src/lib/protocols/dns.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 17b77155e93..0dd2467ad1c 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -310,8 +310,8 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, )) { memcpy(&flow->protos.dns.rsp_addr, packet->payload + x, data_len); } - else if (rsp_type == 0x0c || rsp_type == 0x05) // reverse dns lookup and cname record processing - { + else if (rsp_type == 0x0c || rsp_type == 0x05) // reverse dns lookup and cname record processing + { // reverse dns lookup responses can have an address label as well as additional domain name labels // since we already have the address from the query we just need the domain name From 786610a02e9fd4e7deb0005f4f87bfdf33d7edf8 Mon Sep 17 00:00:00 2001 From: Henry Aidan Leta Date: Tue, 25 Oct 2022 10:54:55 -0400 Subject: [PATCH 7/7] spacing adjustments x4 --- src/lib/protocols/dns.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 0dd2467ad1c..b3ae1c42b58 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -297,10 +297,10 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* here x points to the response "class" field */ if((x+12) <= packet->payload_packet_len) { - x += 2; - uint32_t ttl = get32(&x,packet->payload); - flow->protos.dns.answer_ttl = ttl; - data_len = get16(&x, packet->payload); + x += 2; + uint32_t ttl = get32(&x,packet->payload); + flow->protos.dns.answer_ttl = ttl; + data_len = get16(&x, packet->payload); if((x + data_len) <= packet->payload_packet_len) { // printf("[rsp_type: %u][data_len: %u]\n", rsp_type, data_len);