jasonish · March 19, 2020 15:04
diff --git a/dns.patch b/dns.patch
 diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
 index c7aea76bd..412f556be 100644
 --- a/rust/src/dns/dns.rs
 +++ b/rust/src/dns/dns.rs
 @@ -889,6 +889,20 @@ pub extern "C" fn rs_dns_tx_get_query_name(tx: &mut DNSTransaction,
             }
         }
     }
 +
 +    if let &Some(ref response) = &tx.response {
 +        if (i as usize) < response.queries.len() {
 +            let query = &response.queries[i as usize];
 +            if query.name.len() > 0 {
 +                unsafe {
 +                    *len = query.name.len() as u32;
 +                    *buf = query.name.as_ptr();
 +                }
 +                return 1;
 +            }
 +        }
 +    }
 +
     return 0;
 }
 
 diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c
 index 2fb9a16bc..1b0f8d787 100644
 --- a/src/detect-dns-query.c
 +++ b/src/detect-dns-query.c
 @@ -217,10 +217,16 @@ void DetectDnsQueryRegister (void)
     DetectAppLayerMpmRegister2("dns_query", SIG_FLAG_TOSERVER, 2,
             PrefilterMpmDnsQueryRegister, NULL,
             ALPROTO_DNS, 1);
 +    DetectAppLayerMpmRegister2("dns_query", SIG_FLAG_TOCLIENT, 2,
 +            PrefilterMpmDnsQueryRegister, NULL,
 +            ALPROTO_DNS, 1);
 
     DetectAppLayerInspectEngineRegister2("dns_query",
             ALPROTO_DNS, SIG_FLAG_TOSERVER, 1,
             DetectEngineInspectDnsQuery, NULL);
 +    DetectAppLayerInspectEngineRegister2("dns_query",
 +            ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
 +            DetectEngineInspectDnsQuery, NULL);
 
     DetectBufferTypeSetDescriptionByName("dns_query",
             "dns request query");
 @@ -231,6 +237,9 @@ void DetectDnsQueryRegister (void)
     DetectAppLayerInspectEngineRegister("dns_request",
             ALPROTO_DNS, SIG_FLAG_TOSERVER, 1,
             DetectEngineInspectDnsRequest);
 +    DetectAppLayerInspectEngineRegister("dns_request",
 +            ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
 +            DetectEngineInspectDnsRequest);
     DetectAppLayerInspectEngineRegister("dns_response",
             ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
             DetectEngineInspectDnsResponse);
	diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
	index c7aea76bd..412f556be 100644
	--- a/rust/src/dns/dns.rs
	+++ b/rust/src/dns/dns.rs
	@@ -889,6 +889,20 @@ pub extern "C" fn rs_dns_tx_get_query_name(tx: &mut DNSTransaction,
	}
	}
	}
	+
	+ if let &Some(ref response) = &tx.response {
	+ if (i as usize) < response.queries.len() {
	+ let query = &response.queries[i as usize];
	+ if query.name.len() > 0 {
	+ unsafe {
	+ *len = query.name.len() as u32;
	+ *buf = query.name.as_ptr();
	+ }
	+ return 1;
	+ }
	+ }
	+ }
	+
	return 0;
	}

	diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c
	index 2fb9a16bc..1b0f8d787 100644
	--- a/src/detect-dns-query.c
	+++ b/src/detect-dns-query.c
	@@ -217,10 +217,16 @@ void DetectDnsQueryRegister (void)
	DetectAppLayerMpmRegister2("dns_query", SIG_FLAG_TOSERVER, 2,
	PrefilterMpmDnsQueryRegister, NULL,
	ALPROTO_DNS, 1);
	+ DetectAppLayerMpmRegister2("dns_query", SIG_FLAG_TOCLIENT, 2,
	+ PrefilterMpmDnsQueryRegister, NULL,
	+ ALPROTO_DNS, 1);

	DetectAppLayerInspectEngineRegister2("dns_query",
	ALPROTO_DNS, SIG_FLAG_TOSERVER, 1,
	DetectEngineInspectDnsQuery, NULL);
	+ DetectAppLayerInspectEngineRegister2("dns_query",
	+ ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
	+ DetectEngineInspectDnsQuery, NULL);

	DetectBufferTypeSetDescriptionByName("dns_query",
	"dns request query");
	@@ -231,6 +237,9 @@ void DetectDnsQueryRegister (void)
	DetectAppLayerInspectEngineRegister("dns_request",
	ALPROTO_DNS, SIG_FLAG_TOSERVER, 1,
	DetectEngineInspectDnsRequest);
	+ DetectAppLayerInspectEngineRegister("dns_request",
	+ ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
	+ DetectEngineInspectDnsRequest);
	DetectAppLayerInspectEngineRegister("dns_response",
	ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
	DetectEngineInspectDnsResponse);