suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

Dns over http2 5773 v9

Open catenacyber opened this issue 1 year ago • 2 comments

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5773

Describe changes:

  • analyze DNS over HTTP2

SV_BRANCH=https://github.com/OISF/suricata-verify/pull/1734

Draft to get feedback about approach...

https://github.com/OISF/suricata/pull/10898 with needed rebase after recent dns and http2 merges

TODO :

  • Fix dns json schema and logging first (that is https://redmine.openinfosecfoundation.org/issues/6281 )
  • Use config for dns logging...

Functionnaly, in terms of output :

  • The flow will have doh2 as app_proto (and http2 as app_proto_orig)
  • There are doh2 events that have both http2 and dns fields. dns logging is done like alerts, not like dns events...
  • DNS and HTTP and HTTP2 signatures work on DOH2
  • Signatures can be DOH2 specific. These signatures can combine http, http2 and dns keywords.
  • DNS Frames do not work on DoH2

Memory management

  • a HTTP2 tx can own 2 DNS tx (one to client, one to server)
  • a HTTP2 tx stores the streamed DNS response content until it is complete before parsing it (limiting to U16_MAX bytes)

API

  • There is a new DOH2 app-layer protocol which resorts to HTTP2 for most of the things
  • HTTP2 parsing discovering DOH2 changes the app_proto to DOH2, doh2 can be enabled or disabled in suricata.yaml config
  • There are more alproto "comparison" functions
  • Every DNS keyword needs to check the flow alproto to change the transaction
  • Every DNS/HTTP keyword is automatically registered for DOH2 (hacking DetectAppLayerMpmRegister2...

catenacyber avatar Apr 29 '24 09:04 catenacyber

Codecov Report

Attention: Patch coverage is 89.66480% with 37 lines in your changes are missing coverage. Please review.

Project coverage is 82.92%. Comparing base (df8568e) to head (e9cbd4a). Report is 115 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10984      +/-   ##
==========================================
- Coverage   83.03%   82.92%   -0.11%     
==========================================
  Files         917      917              
  Lines      248684   248907     +223     
==========================================
- Hits       206489   206405      -84     
- Misses      42195    42502     +307
Flag Coverage Δ
fuzzcorpus 64.29% <67.59%> (-0.08%) :arrow_down:
suricata-verify 62.19% <82.12%> (-0.51%) :arrow_down:
unittests 62.28% <33.24%> (-0.05%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Apr 29 '24 12:04 codecov[bot]

Information:

ERROR: QA failed on SURI_TLPR1_alerts_cmp.

field baseline test %
SURI_TLPR1_stats_chk
.memcap.pressure 57 53 92.98%
.memcap.pressure_max 62 65 104.84%

Pipeline 20408

suricata-qa avatar Apr 30 '24 03:04 suricata-qa

Rebased in https://github.com/OISF/suricata/pull/11196

catenacyber avatar May 31 '24 12:05 catenacyber