Merge branch 'dns-original-query-case' of https://github.com/rvictory/zeek

Changes during merge - Changed the policy script to use an event handler that behaves for like the base script: &priority=5, msg$opcode != early-out, no record field existence checks - Also extended dns_query_reply event with original_query param - Removed ExtractName overload, and just use default param * 'dns-original-query-case' of https://github.com/rvictory/zeek: Fixed some places where tabs became spaces Stricter checking if we have a dns field on the connection being processed Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both.
2025-10-10 02:28:21 +00:00 · 2020-06-25 23:33:14 -07:00 · 2020-06-25 23:33:14 -07:00 · 00a4865885
commit 00a4865885
parent 23c3aa056f 7a91b49f5a
14 changed files with 87 additions and 18 deletions
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@ -19,6 +19,7 @@
                  [2] query: string      = mail.patriots.in
                  [3] qtype: count       = 1
                  [4] qclass: count      = 1
+                  [5] original_query: string = mail.patriots.in

 1254722767.492060 protocol_confirmation
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, successful=F, dpd=<uninitialized>, dpd_state=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
--- a/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2020-06-17-14-47-26
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	original_query
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	string
+1592402712.248901	CHhAvVGS1DHFjwGM9	192.168.3.138	63374	192.168.3.1	53	udp	20877	-	us.v27.distributed.net	1	C_INTERNET	1	A	-	-	F	F	T	F	2	-	-	F	Us.V27.DiStRiBuTeD.NET
+#close	2020-06-17-14-47-26
--- a/testing/btest/Traces/dns_original_case.pcap
+++ b/testing/btest/Traces/dns_original_case.pcap
--- a/testing/btest/scripts/policy/protocols/dns/original_case.zeek
+++ b/testing/btest/scripts/policy/protocols/dns/original_case.zeek
@ -0,0 +1,3 @@
+# @TEST-EXEC: zeek -r $TRACES/dns_original_case.pcap %INPUT
+# @TEST-EXEC: btest-diff dns.log
+@load protocols/dns/log-original-query-case
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@ -1 +1 @@
-807dce8fd94d59e571994c033e333691f7ef27ba
+9d92ec99cadd04e95365dc2c3b507b7011db255a
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-fa5c4dc4ea3481c7b273f0cfcc77497c0d32aa7c
+d6cd639023cfe26c4e2cf14a59e78599b22ed4d0