Merge branch 'dns-original-query-case' of https://github.com/rvictory/zeek

Changes during merge - Changed the policy script to use an event handler that behaves for like the base script: &priority=5, msg$opcode != early-out, no record field existence checks - Also extended dns_query_reply event with original_query param - Removed ExtractName overload, and just use default param * 'dns-original-query-case' of https://github.com/rvictory/zeek: Fixed some places where tabs became spaces Stricter checking if we have a dns field on the connection being processed Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both.
2025-10-02 14:48:21 +00:00 · 2020-06-25 23:33:14 -07:00 · 2020-06-25 23:33:14 -07:00 · 00a4865885
commit 00a4865885
parent 23c3aa056f 7a91b49f5a
14 changed files with 87 additions and 18 deletions
--- a/scripts/policy/protocols/dns/log-original-query-case.zeek
+++ b/scripts/policy/protocols/dns/log-original-query-case.zeek
@ -0,0 +1,22 @@
+##! This script adds the query with its original letter casing
+##! to the DNS log.
+
+@load base/protocols/dns/main
+
+module DNS;
+
+export {
+	redef record Info += {
+		## Query with original letter casing
+		original_query: string &log &optional;
+	};
+}
+
+event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string) &priority=5
+	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
+	c$dns$original_query = original_query;
+	}