Exemplo n.º 1
0
func (dns *Dns) GapInStream(tcpTuple *common.TcpTuple, dir uint8, nbytes int, private protos.ProtocolData) (priv protos.ProtocolData, drop bool) {
	if private == nil {
		return private, true
	}
	conn, ok := private.(*dnsConnectionData)
	if !ok {
		return private, false
	}
	stream := conn.Data[dir]

	if stream == nil || stream.message == nil {
		return private, false
	}

	decodedData, err := stream.handleTcpRawData()

	if err == nil {
		dns.messageComplete(conn, tcpTuple, dir, decodedData)
		return private, true
	}

	if dir == tcp.TcpDirectionReverse {
		dns.publishResponseError(conn, err)
	}

	logp.Debug("dns", "%s addresses %s, length %d", err.Error(),
		tcpTuple.String(), len(stream.rawData))
	logp.Debug("dns", "Dropping the stream %s", tcpTuple.String())

	// drop the stream because it is binary Data and it would be unexpected to have a decodable message later
	return private, true
}
Exemplo n.º 2
0
func (dns *Dns) ReceivedFin(tcpTuple *common.TcpTuple, dir uint8, private protos.ProtocolData) protos.ProtocolData {
	if private == nil {
		return nil
	}
	conn, ok := private.(*dnsConnectionData)
	if !ok {
		return private
	}
	stream := conn.Data[dir]

	if stream == nil || stream.message == nil {
		return conn
	}

	decodedData, err := stream.handleTcpRawData()

	if err == nil {
		dns.messageComplete(conn, tcpTuple, dir, decodedData)
		return conn
	}

	if dir == tcp.TcpDirectionReverse {
		dns.publishResponseError(conn, err)
	}

	logp.Debug("dns", "%s addresses %s, length %d", err.Error(),
		tcpTuple.String(), len(stream.rawData))

	return conn
}
Exemplo n.º 3
0
Arquivo: dns.go Projeto: nicoder/beats
func (dns *Dns) GapInStream(tcpTuple *common.TcpTuple, dir uint8, nbytes int, private protos.ProtocolData) (priv protos.ProtocolData, drop bool) {
	dnsData, ok := private.(dnsPrivateData)

	if !ok {
		return private, false
	}

	stream := dnsData.Data[dir]

	if stream == nil || stream.message == nil {
		return private, false
	}

	decodedData, err := decodeDnsData(TransportTcp, stream.data)

	// Add Notes if the failed stream is the response
	if err != nil {
		if dir == tcp.TcpDirectionReverse {
			dns.publishDecodeFailureNotes(dnsData)
		}

		// drop the stream because it is binary and it would be rare to have a decodable message later
		logp.Debug("dns", NonDnsCompleteMsg+" addresses %s, length %d",
			tcpTuple.String(), len(stream.data))
		return private, true
	}

	// publish and ignore the gap. No case should reach this code though ...
	dns.messageComplete(tcpTuple, dir, stream, decodedData)
	return private, false
}
Exemplo n.º 4
0
Arquivo: dns.go Projeto: nicoder/beats
func (dns *Dns) ReceivedFin(tcpTuple *common.TcpTuple, dir uint8, private protos.ProtocolData) protos.ProtocolData {
	if private == nil {
		return private
	}
	dnsData, ok := private.(dnsPrivateData)
	if !ok {
		return private
	}
	if dnsData.Data[dir] == nil {
		return dnsData
	}
	stream := dnsData.Data[dir]
	if stream.message != nil {
		decodedData, err := decodeDnsData(TransportTcp, stream.data)

		if err == nil {
			dns.messageComplete(tcpTuple, dir, stream, decodedData)
		} else /*Failed decode */ {
			if dir == tcp.TcpDirectionReverse {
				dns.publishDecodeFailureNotes(dnsData)
				stream.PrepareForNewMessage()
			}
			logp.Debug("dns", NonDnsCompleteMsg+" addresses %s, length %d",
				tcpTuple.String(), len(stream.data))
		}
	}

	return dnsData
}
Exemplo n.º 5
0
func (dns *Dns) doParse(conn *dnsConnectionData, pkt *protos.Packet, tcpTuple *common.TcpTuple, dir uint8) *dnsConnectionData {
	stream := conn.Data[dir]
	payload := pkt.Payload

	if stream == nil {
		stream = newStream(pkt, tcpTuple)
		conn.Data[dir] = stream
	} else {
		if stream.message == nil { // nth message of the same stream
			stream.message = &DnsMessage{Ts: pkt.Ts, Tuple: pkt.Tuple}
		}

		stream.rawData = append(stream.rawData, payload...)
		if len(stream.rawData) > tcp.TCP_MAX_DATA_IN_STREAM {
			logp.Debug("dns", "Stream data too large, dropping DNS stream")
			conn.Data[dir] = nil
			return conn
		}
	}
	decodedData, err := stream.handleTcpRawData()

	if err != nil {

		if err == IncompleteMsg {
			logp.Debug("dns", "Waiting for more raw data")
			return conn
		}

		if dir == tcp.TcpDirectionReverse {
			dns.publishResponseError(conn, err)
		}

		logp.Debug("dns", "%s addresses %s, length %d", err.Error(),
			tcpTuple.String(), len(stream.rawData))

		// This means that malformed requests or responses are being sent...
		// TODO: publish the situation also if Request
		conn.Data[dir] = nil
		return conn
	}

	dns.messageComplete(conn, tcpTuple, dir, decodedData)
	stream.PrepareForNewMessage()
	return conn
}
Exemplo n.º 6
0
Arquivo: dns.go Projeto: nicoder/beats
func (dns *Dns) Parse(pkt *protos.Packet, tcpTuple *common.TcpTuple, dir uint8, private protos.ProtocolData) protos.ProtocolData {
	defer logp.Recover("DNS ParseTcp")

	logp.Debug("dns", "Parsing packet addressed with %s of length %d.",
		pkt.Tuple.String(), len(pkt.Payload))

	priv := dnsPrivateData{}

	if private != nil {
		var ok bool
		priv, ok = private.(dnsPrivateData)
		if !ok {
			priv = dnsPrivateData{}
		}
	}

	payload := pkt.Payload

	stream := &priv.Data[dir]

	if *stream == nil {
		*stream = &DnsStream{
			tcpTuple: tcpTuple,
			data:     payload,
			message:  &DnsMessage{Ts: pkt.Ts, Tuple: pkt.Tuple},
		}
		if len(payload) <= DecodeOffset {
			logp.Debug("dns", EmptyMsg+" addresses %s",
				tcpTuple.String())

			return priv
		}
	} else {
		(*stream).data = append((*stream).data, payload...)
		dataLength := len((*stream).data)
		if dataLength > tcp.TCP_MAX_DATA_IN_STREAM {
			logp.Debug("dns", "Stream data too large, dropping DNS stream")
			return priv
		}
		if dataLength <= DecodeOffset {
			logp.Debug("dns", EmptyMsg+" addresses %s",
				tcpTuple.String())
			return priv
		}
	}

	data, err := decodeDnsData(TransportTcp, (*stream).data)

	if err != nil {
		logp.Debug("dns", NonDnsCompleteMsg+" addresses %s, length %d",
			tcpTuple.String(), len((*stream).data))

		// wait for decoding with the next segment
		return priv
	}

	dns.messageComplete(tcpTuple, dir, *stream, data)
	return priv
}