Skip to content

Known ip address #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Known ip address #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion src/fieldset.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,20 @@ char *fs_get_string_by_index(fieldset_t *fs, int index)
return (char *)fs->fields[index].value.ptr;
}

int fds_get_index_by_name(fielddefset_t *fds, char *name)
fieldset_t *fs_get_fieldset_by_index(fieldset_t *fs, int index) {
return (fieldset_t *)fs->fields[index].value.ptr;
}

int fs_get_index_by_name(fieldset_t *fs, const char *name) {
for (int i = 0; i < fs->len; i++) {
if (!strcmp(fs->fields[i].name, name)) {
return i;
}
}
return -1;
}

int fds_get_index_by_name(fielddefset_t *fds, const char *name)
{
for (int i = 0; i < fds->len; i++) {
if (!strcmp(fds->fielddefs[i].name, name)) {
Expand Down
6 changes: 5 additions & 1 deletion src/fieldset.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,11 @@ fieldset_t *fs_new_repeated_fieldset();

char *fs_get_string_by_index(fieldset_t *fs, int index);

int fds_get_index_by_name(fielddefset_t *fds, char *name);
int fds_get_index_by_name(fielddefset_t *fds, const char *name);

int fs_get_index_by_name(fieldset_t *fs, const char *name);

fieldset_t *fs_get_fieldset_by_index(fieldset_t *fs, int index);

void gen_fielddef_set(fielddefset_t *fds, fielddef_t fs[], int len);

Expand Down
55 changes: 36 additions & 19 deletions src/probe_modules/module_dns.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,9 @@ typedef uint8_t bool;
probe_module_t module_dns;
static int num_ports;

char default_domain[16];
const char *default_domain = "loadbalancer-portal-public-01.horizon.netscout-dev.com";
const char *default_ip = "52.37.99.50";

const uint16_t default_qtype = DNS_QTYPE_A;

static char **dns_packets;
Expand All @@ -92,21 +94,21 @@ static uint16_t *qtypes;
static int num_questions = 0;

// Fix for dns-hijacking
void generate_default_domain() {
static const char *candidate_domains[] = {
"www.test.com",
"www.dict.com",
"www.food.com",
"www.book.com",
"www.leaf.com",
"www.hope.com"
};
time_t t;
srand((unsigned) time(&t));
const char *chosen = candidate_domains[rand() % (sizeof(candidate_domains) / sizeof(candidate_domains[0]))];
strncpy(default_domain, chosen, sizeof(default_domain) - 1);
log_info("dns", "generate_default_domain: %s", default_domain);
}
// void generate_default_domain() {
// static const char *candidate_domains[] = {
// "www.test.com",
// "www.dict.com",
// "www.food.com",
// "www.book.com",
// "www.leaf.com",
// "www.hope.com"
// };
// time_t t;
// srand((unsigned) time(&t));
// const char *chosen = candidate_domains[rand() % (sizeof(candidate_domains) / sizeof(candidate_domains[0]))];
// strncpy(default_domain, chosen, sizeof(default_domain) - 1);
// log_info("dns", "generate_default_domain: %s", default_domain);
// }

/* Array of qtypes we support. Jumping through some hoops (1 level of
* indirection) so the per-packet processing time is fast. Keep this in sync
Expand Down Expand Up @@ -571,7 +573,7 @@ static bool process_response_answer(char **data, uint16_t *data_len,
fs_add_binary(afs, "rdata", rdlength, rdata, 0);
}
// Now we're adding the new fs to the list.
fs_add_fieldset(list, NULL, afs);
fs_add_fieldset(list, "rdata_fs", afs);
// Now update the pointers.
*data = *data + bytes_consumed + sizeof(dns_answer_tail) + rdlength;
*data_len =
Expand Down Expand Up @@ -604,7 +606,7 @@ static int dns_global_initialize(struct state_conf *conf)
char *qtype_str = NULL;
char **domains = (char **)xmalloc(sizeof(char *) * num_questions);

generate_default_domain();
// generate_default_domain();
for (int i = 0; i < num_questions; i++) {
domains[i] = (char *)default_domain;
qtypes[i] = default_qtype;
Expand Down Expand Up @@ -929,7 +931,6 @@ void dns_process_packet(const u_char *packet, uint32_t len, fieldset_t *fs,

// High level info
fs_add_string(fs, "classification", (char *)"dns", 0);
fs_add_bool(fs, "success", is_valid);
fs_add_bool(fs, "app_success",
is_valid && (qr == DNS_QR_ANSWER) &&
(rcode == DNS_RCODE_NOERR));
Expand Down Expand Up @@ -1041,7 +1042,23 @@ void dns_process_packet(const u_char *packet, uint32_t len, fieldset_t *fs,
}
// Did we parse OK?
fs_add_uint64(fs, "dns_parse_err", err);

int idx = fs_get_index_by_name(fs, "dns_answers");
if (idx >= 0) {
list = fs_get_fieldset_by_index(fs, idx);
idx = fs_get_index_by_name(list, "rdata_fs");
if (idx >= 0) {
list = fs_get_fieldset_by_index(list, idx);
idx = fs_get_index_by_name(list, "rdata");
Copy link

@dsturnbull dsturnbull May 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do these idx values change record-by-record? If not, seems like you can bypass quite a lot of log(n) lookups via fs_get_index_by_name()

if (idx >= 0) {
is_valid = strcmp(fs_get_string_by_index(list, idx), default_ip) == 0;
}
}
} else {
is_valid = 0;
}
}
fs_add_bool(fs, "success", is_valid);
// Now the raw stuff.
fs_add_binary(fs, "raw_data", (udp_len - sizeof(struct udphdr)),
(void *)&udp_hdr[1], 0);
Expand Down