Implementing application layer features

Question

Implementing application layer features

dcferreira opened this issue 5 years ago · 3 comments

I'm trying to implement some DNS features, and am struggling to understand why this isn't working.

You can see my attempt at a feature which returns the requested domain names:
https://github.com/dcferreira/go-flows/blob/c9c48e24880ac88f40feebfd58e5df720aca70b2/modules/features/custom/application.go#L145-L153
You can use this example to run it.

The result is that layer is always nil, and so nothing is ever output. I'm using a pcap with plenty of DNS requests, and that wireshark recognizes fine.

What am I doing wrong here?

Answer 1 · 2019-11-11T20:09:29.000Z

I don't have data to test with but try instead f.SetValue(string(dnsQuestion.Name), context, f) (replacing src by f) and remove the "Stop" and "Start" functions since they are not needed.
i.e.

type _DNSDomain struct {
	flows.BaseFeature
}

func (f *_DNSDomain) Event(new interface{}, context *flows.EventContext, src interface{}) {
	layer := new.(packet.Buffer).Layer(layers.LayerTypeDNS)
	if layer != nil {
		dns := layer.(*layers.DNS)
		for _, dnsQuestion := range dns.Questions {
			f.SetValue(string(dnsQuestion.Name), context, f)
		}
	}
}

func init() {
	flows.RegisterTemporaryFeature("_DNSDomain", "returns domains from DNS packets.", ipfix.StringType, 0, flows.PacketFeature, func() flows.Feature { return &_DNSDomain{} }, flows.RawPacket)
}

Answer 2 · 2019-11-12T06:25:13.000Z

For performance reasons application layer is not decoded by go-flows. So you have to do that yourself -> look for udp port 53 and then use DecodeFromBytes() of the DNS layer with the LayerPayload() of the udp packet. Tcp would be a bit more involved since you would need to reassemble the stream first. Fares Meghdouri <notifications@github.com> schrieb am Mo., 11. Nov. 2019, 21:09:

…

I don't have data to test with but try instead f.SetValue(string(dnsQuestion.Name), context, f) (replacing src by f) and remove the "Stop" and "Start" functions since they are not needed. i.e. type _DNSDomain struct { flows.BaseFeature } func (f *_DNSDomain) Event(new interface{}, context *flows.EventContext, src interface{}) { layer := new.(packet.Buffer).Layer(layers.LayerTypeDNS) if layer != nil { dns := layer.(*layers.DNS) for _, dnsQuestion := range dns.Questions { f.SetValue(string(dnsQuestion.Name), context, f) } } } func init() { flows.RegisterTemporaryFeature("_DNSDomain", "returns domains from DNS packets.", ipfix.StringType, 0, flows.PacketFeature, func() flows.Feature { return &_DNSDomain{} }, flows.RawPacket) } — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#12?email_source=notifications&email_token=AAAGI65U2LD5ZVUHZ7KHNQDQTG3XVA5CNFSM4JLYZUL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDX64YQ#issuecomment-552595042>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAGI6YIU7VO6US6374VF63QTG3XVANCNFSM4JLYZULQ> .

Answer 3 · 2019-11-12T10:10:54.000Z

Thanks, that works :)

I'll try to make a filter for decoding DNS then, and implement some features out of it.