diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/dns/spp_dns.c ss-snort-2.7.0.1-dns/src/dynamic-preprocessors/dns/spp_dns.c --- snort-2.7.0.1/src/dynamic-preprocessors/dns/spp_dns.c 2007-07-03 14:41:39.000000000 -0600 +++ ss-snort-2.7.0.1-dns/src/dynamic-preprocessors/dns/spp_dns.c 2007-09-11 10:34:23.000000000 -0600 @@ -20,6 +20,9 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +/* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + /* * DNS preprocessor @@ -115,6 +118,8 @@ _dpd.registerPreproc( "dns", DNSInit ); memset(dns_config.ports, 0, sizeof(char) * (MAX_PORTS/8)); + //StillSecure + dns_config.drop_flags = 0; } /* Initializes the DNS preprocessor module and registers @@ -248,6 +253,20 @@ { dns_config.enabled_alerts |= DNS_ALERT_EXPERIMENTAL_TYPES; } + /** StillSecure **/ + else if ( !strcmp( cur_tokenp, DNS_DROP_RDATA_OVERFLOW_KEYWORD )) + { + dns_config.drop_flags |= DNS_DROP_RDATA_OVERFLOW; + } + else if ( !strcmp( cur_tokenp, DNS_DROP_OBSOLETE_TYPES_KEYWORD )) + { + dns_config.drop_flags |= DNS_DROP_OBSOLETE_TYPES; + } + else if ( !strcmp( cur_tokenp, DNS_DROP_EXPERIMENTAL_TYPES_KEYWORD )) + { + dns_config.drop_flags |= DNS_DROP_EXPERIMENTAL_TYPES; + } + /** End StillSecure **/ #if 0 else if ( !strcmp( cur_tokenp, DNS_AUTODETECT_KEYWORD )) { @@ -286,12 +305,36 @@ _dpd.logMsg(" DNS Client rdata txt Overflow Alert: %s\n", dns_config.enabled_alerts & DNS_ALERT_RDATA_OVERFLOW ? "ACTIVE" : "INACTIVE" ); + /** StillSecure **/ + if(dns_config.enabled_alerts & DNS_ALERT_RDATA_OVERFLOW) + { + _dpd.logMsg(" DNS Client rdata txt Overflow Drop: %s\n", + dns_config.drop_flags & DNS_DROP_RDATA_OVERFLOW ? + "ACTIVE" : "INACTIVE" ); + } + /** End StillSecure **/ _dpd.logMsg(" Obsolete DNS RR Types Alert: %s\n", dns_config.enabled_alerts & DNS_ALERT_OBSOLETE_TYPES ? "ACTIVE" : "INACTIVE" ); + /** StillSecure **/ + if(dns_config.enabled_alerts & DNS_ALERT_OBSOLETE_TYPES) + { + _dpd.logMsg(" Obsolete DNS RR Types Drop: %s\n", + dns_config.drop_flags & DNS_DROP_OBSOLETE_TYPES ? + "ACTIVE" : "INACTIVE" ); + } + /** End StillSecure **/ _dpd.logMsg(" Experimental DNS RR Types Alert: %s\n", dns_config.enabled_alerts & DNS_ALERT_EXPERIMENTAL_TYPES ? "ACTIVE" : "INACTIVE" ); + /** StillSecure **/ + if(dns_config.enabled_alerts & DNS_ALERT_EXPERIMENTAL_TYPES) + { + _dpd.logMsg(" Experimental DNS RR Types Drop: %s\n", + dns_config.drop_flags & DNS_DROP_EXPERIMENTAL_TYPES ? + "ACTIVE" : "INACTIVE" ); + } + /** End StillSecure **/ /* Printing ports */ _dpd.logMsg(" Ports:"); @@ -949,6 +992,12 @@ { /* Alert on obsolete DNS RR types */ DNS_ALERT(DNS_EVENT_RDATA_OVERFLOW, DNS_EVENT_RDATA_OVERFLOW_STR); + + /** StillSecure **/ + if((dns_config.drop_flags & DNS_DROP_RDATA_OVERFLOW) && _dpd.inlineMode()) + _dpd.inlineDrop(dnsSessionData->curr_p); + /** End StillSecure **/ + } dnsSessionData->curr_txt.alerted = 1; @@ -1047,6 +1096,10 @@ { /* Alert on obsolete DNS RR types */ DNS_ALERT(DNS_EVENT_OBSOLETE_TYPES, DNS_EVENT_OBSOLETE_TYPES_STR); + /** StillSecure **/ + if((dns_config.drop_flags & DNS_DROP_OBSOLETE_TYPES) && _dpd.inlineMode()) + _dpd.inlineDrop(dnsSessionData->curr_p); + /** End StillSecure **/ } bytes_unused = SkipDNSRData(data, bytes_unused, dnsSessionData); break; @@ -1060,6 +1113,10 @@ { /* Alert on experimental DNS RR types */ DNS_ALERT(DNS_EVENT_EXPERIMENTAL_TYPES, DNS_EVENT_EXPERIMENTAL_TYPES_STR); + /** StillSecure **/ + if((dns_config.drop_flags & DNS_DROP_EXPERIMENTAL_TYPES) && _dpd.inlineMode()) + _dpd.inlineDrop(dnsSessionData->curr_p); + /** End StillSecure **/ } bytes_unused = SkipDNSRData(data, bytes_unused, dnsSessionData); break; @@ -1486,6 +1543,9 @@ return; } + //StillSecure + dnsSessionData->curr_p = p; + if (direction == DNS_DIR_FROM_SERVER) { ParseDNSResponseMessage(p, dnsSessionData); diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/dns/spp_dns.h ss-snort-2.7.0.1-dns/src/dynamic-preprocessors/dns/spp_dns.h --- snort-2.7.0.1/src/dynamic-preprocessors/dns/spp_dns.h 2007-07-03 14:41:39.000000000 -0600 +++ ss-snort-2.7.0.1-dns/src/dynamic-preprocessors/dns/spp_dns.h 2007-09-11 10:34:33.000000000 -0600 @@ -20,6 +20,10 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +/* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + /* * spp_dns.h: Definitions, structs, function prototype(s) for * the DNS preprocessor. @@ -63,6 +67,8 @@ #endif u_int16_t enabled_alerts; char ports[MAX_PORTS/8]; + //StillSecure + u_int16_t drop_flags; } DNSConfig; /****** A few data structures ******/ @@ -155,6 +161,8 @@ DNSRR curr_rr; DNSNameState curr_txt; u_int8_t flags; + //StillSecure + SFSnortPacket* curr_p; } DNSSessionData; #define DNS_FLAG_NOT_DNS 0x01 @@ -220,12 +228,18 @@ #define DNS_ENABLE_EXPERIMENTAL_TYPES_KEYWORD "enable_experimental_types" #define DNS_ENABLE_RDATA_OVERFLOW_KEYWORD "enable_rdata_overflow" +/** StillSecure **/ +#define DNS_DROP_OBSOLETE_TYPES_KEYWORD "drop_obsolete_types" +#define DNS_DROP_EXPERIMENTAL_TYPES_KEYWORD "drop_experimental_types" +#define DNS_DROP_RDATA_OVERFLOW_KEYWORD "drop_rdata_overflow" +/** End StillSecure **/ + /* * DNS preprocessor alert types. */ #define DNS_EVENT_OBSOLETE_TYPES 1 #define DNS_EVENT_EXPERIMENTAL_TYPES 2 -#define DNS_EVENT_RDATA_OVERFLOW 3 +#define DNS_EVENT_RDATA_OVERFLOW 3 /* * DNS alert flags @@ -233,9 +247,20 @@ #define DNS_ALERT_NONE 0x0 #define DNS_ALERT_OBSOLETE_TYPES 0x1 #define DNS_ALERT_EXPERIMENTAL_TYPES 0x2 -#define DNS_ALERT_RDATA_OVERFLOW 0x4 +#define DNS_ALERT_RDATA_OVERFLOW 0x4 #define DNS_ALERT_ALL 0xFFFF +/** StillSecure **/ +/* + * DNS drop flags + */ +#define DNS_DROP_NONE 0x0000 +#define DNS_DROP_OBSOLETE_TYPES 0x0001 +#define DNS_DROP_EXPERIMENTAL_TYPES 0x0002 +#define DNS_DROP_RDATA_OVERFLOW 0x0004 +#define DNS_DROP_ALL 0xFFFF +/** End StillSecure **/ + /* * DNS preprocessor alert strings. */