aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2025-02-16 14:32:56 +0100
committerGitHub <noreply@github.com>2025-02-16 14:32:56 +0100
commitd51b6ab0492e1c32e9954ee77a27a755ffaccc92 (patch)
tree42671173adccab074450594d045135a68fb22c30
parent7dc5890c0f21ffded4807a35de8f14a51ecb6d8a (diff)
DNS: fix parsing of hostname for empty response messages (#2731)
Diffstat
-rw-r--r--src/lib/protocols/dns.c7
-rw-r--r--tests/cfgs/default/result/dns_invert_query.pcapng.out2
-rw-r--r--tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out8
3 files changed, 11 insertions, 6 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 36b928980..7199d51f6 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -706,6 +706,7 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st
static int process_hostname(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
+ struct ndpi_dns_packet_header *dns_header,
ndpi_master_app_protocol *proto) {
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
char *dot;
@@ -716,6 +717,10 @@ static int process_hostname(struct ndpi_detection_module_struct *ndpi_struct,
proto->master_protocol = checkDNSSubprotocol(ntohs(flow->c_port), ntohs(flow->s_port));
proto->app_protocol = NDPI_PROTOCOL_UNKNOWN;
+ /* We try to get hostname only from "standard" query/answer */
+ if(dns_header->num_queries == 0 && dns_header->num_answers == 0)
+ return -1;
+
is_mdns = (proto->master_protocol == NDPI_PROTOCOL_MDNS);
/* TODO: should we overwrite existing hostname?
@@ -803,7 +808,7 @@ static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct
return;
}
- process_hostname(ndpi_struct, flow, &proto);
+ process_hostname(ndpi_struct, flow, &dns_header, &proto);
off = sizeof(struct ndpi_dns_packet_header) + payload_offset;
diff --git a/tests/cfgs/default/result/dns_invert_query.pcapng.out b/tests/cfgs/default/result/dns_invert_query.pcapng.out
index f7291ba64..014c71f58 100644
--- a/tests/cfgs/default/result/dns_invert_query.pcapng.out
+++ b/tests/cfgs/default/result/dns_invert_query.pcapng.out
@@ -24,4 +24,4 @@ DNS 2 134 1
Acceptable 2 134 1
- 1 UDP 173.147.108.174:18427 <-> 244.187.95.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/78 bytes <-> 1 pkts/56 bytes][Goodput ratio: 46/21][0.00 sec][0.0.0.0][DNS Id: 0x77fc][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NOTIMP][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 1 UDP 173.147.108.174:18427 <-> 244.187.95.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/78 bytes <-> 1 pkts/56 bytes][Goodput ratio: 46/21][0.00 sec][Hostname/SNI: 216.58.202.4][0.0.0.0][DNS Id: 0x77fc][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NOTIMP][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
index 3871a8f07..0c459e29e 100644
--- a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
+++ b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
@@ -14,10 +14,10 @@ LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/66/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache fpc_dns: 0/66/0 (insert/search/found)
-Automa host: 238/0 (search/found)
-Automa domain: 231/0 (search/found)
+Automa host: 237/0 (search/found)
+Automa domain: 230/0 (search/found)
Automa tls cert: 0/0 (search/found)
-Automa risk mask: 125/0 (search/found)
+Automa risk mask: 124/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 372/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
@@ -211,7 +211,7 @@ Unrated 33 4066 33
168 UDP 192.168.1.53:2791 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x82eb][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
169 UDP 192.168.1.110:2713 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][0.0.0.0][DNS Id: 0x4cd2][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
170 UDP 192.168.1.172:2766 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x7bfd][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 171 UDP 192.168.9.2:2774 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0xdae2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 171 UDP 192.168.9.2:2774 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][0.0.0.0][DNS Id: 0xdae2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
172 UDP 192.168.37.115:2758 -> 128.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
173 UDP 192.168.54.2:2829 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][0.0.0.0][DNS Id: 0xd033][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][PLAIN TEXT (cibercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
174 UDP 192.168.79.2:2791 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x82eb][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Powered by cgit, Themed by Ted Yin.