From 01660553d6c48a8cdb9c966d777c9e5f5bdd7960 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Wed, 14 Jul 2021 20:22:06 -0500 Subject: [PATCH 1/3] Add btest for DNS NSEC3PARAM RR. --- .../scripts.base.protocols.dns.nsec3param/dns.log | 11 +++++++++++ .../scripts.base.protocols.dns.nsec3param/output | 2 ++ testing/btest/Traces/dnssec/nsec3param.pcap | Bin 0 -> 249 bytes .../scripts/base/protocols/dns/nsec3param.zeek | 11 +++++++++++ 4 files changed, 24 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/output create mode 100644 testing/btest/Traces/dnssec/nsec3param.pcap create mode 100644 testing/btest/scripts/base/protocols/dns/nsec3param.zeek diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log new file mode 100644 index 0000000000..ef0bca3662 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/output b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/output new file mode 100644 index 0000000000..54fb2e6d95 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/output @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +NSEC3PARAM, [query=sshfp.net, answer_type=1, nsec_flags=0, nsec_hash_algo=1, nsec_iter=20, nsec_salt_len=16, nsec_salt={\x1a\x90\xa9\x16\x19~E\xd0w*\xbc\xb6D\x11V, is_query=0], 7b1a90a916197e45d0772abcb6441156 diff --git a/testing/btest/Traces/dnssec/nsec3param.pcap b/testing/btest/Traces/dnssec/nsec3param.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f68df0c5ef1c4ffe9f1223c68817e7e9f22d33af GIT binary patch literal 249 zcmca|c+)~A1{MYcU}0bca{hO{PdJdq%Mbu$gYc2HCYP>n?P;B`^d$=igDV4r)3GxQ z3=V>`UUG#q3vq=rnq5?3FlEs5+HcFnr~o#Cfq{{=xHu!NfH^OGz$#6 z-zUtHW@9J>azGejGQ<|J`N^}R9T@BcJ1jwFgX~~11=`>*QftfA*Z?#N output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output + +@load policy/protocols/dns/auth-addl + +event dns_NSEC3PARAM(c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr) + { + print "NSEC3PARAM", nsec3param, + bytestring_to_hexstr(nsec3param$nsec_salt); + } From a2a8870931e366ac5777cbaab8c9481f58fa0efd Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Wed, 14 Jul 2021 21:43:36 -0500 Subject: [PATCH 2/3] Add btest for DNS WKS RR. --- .../scripts.base.protocols.dns.wks/dns.log | 11 +++++++++++ .../scripts.base.protocols.dns.wks/output | 1 + testing/btest/Traces/dns/dns-wks.pcap | Bin 0 -> 274 bytes testing/btest/scripts/base/protocols/dns/wks.pcap | 10 ++++++++++ 4 files changed, 22 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.wks/output create mode 100644 testing/btest/Traces/dns/dns-wks.pcap create mode 100644 testing/btest/scripts/base/protocols/dns/wks.pcap diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log new file mode 100644 index 0000000000..20c5e818c9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 - zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR F F T F 2 - - F - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.wks/output b/testing/btest/Baseline/scripts.base.protocols.dns.wks/output new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.wks/output @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Traces/dns/dns-wks.pcap b/testing/btest/Traces/dns/dns-wks.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b82f5c4f8562a49b82ecdb1c20909e22abc140b6 GIT binary patch literal 274 zcmca|c+)~A1{MYcU}0bcayHF-pYWrHg&`cs2H_)XO)g#E+S58==}Q(423H0KPvOT5 z3=V?6Ke)n~g}A~Qxn9j?Fl8`pul&}}r~o#Cfq{{wDm68mJ+&e+w;(5#IWM(@fq@$& zrzrq55(Gfj9Gt?!&;;8GK~{jQVlV|-l=#Q}TYqZ<&?qLL qCLGor;DK1iC&0jQU output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output + +@load policy/protocols/dns/auth-addl + +event dns_WKS_reply(c: connection, msg: dns_msg, ans: dns_answer) + { + print "WKS", dns_msg, dns_answer; + } From f9c36f5c37750aff7836358ad469d2b69707a655 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Wed, 1 Sep 2021 12:00:50 -0500 Subject: [PATCH 3/3] Add btests for DNS WKS and BINDS --- .../scripts.base.protocols.dns.binds/dns.log | 11 +++++++++++ .../scripts.base.protocols.dns.binds/output | 17 +++++++++++++++++ .../scripts.base.protocols.dns.wks/dns.log | 2 +- .../scripts.base.protocols.dns.wks/output | 1 + testing/btest/Traces/dns/dns-binds.pcap | Bin 0 -> 492 bytes .../scripts/base/protocols/dns/binds.zeek | 10 ++++++++++ .../base/protocols/dns/{wks.pcap => wks.zeek} | 0 7 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.binds/output create mode 100644 testing/btest/Traces/dns/dns-binds.pcap create mode 100644 testing/btest/scripts/base/protocols/dns/binds.zeek rename testing/btest/scripts/base/protocols/dns/{wks.pcap => wks.zeek} (100%) diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log new file mode 100644 index 0000000000..0523babdcd --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.74 51871 10.87.1.10 53 udp 27571 0.002004 example.net 1 C_INTERNET 65534 query-65534 0 NOERROR T F T T 2 BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal 0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000 F - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.binds/output b/testing/btest/Baseline/scripts.base.protocols.dns.binds/output new file mode 100644 index 0000000000..9e60009463 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.binds/output @@ -0,0 +1,17 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=32018, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=2196, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=12994, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=23868, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=37611, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=9551, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=48254, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=33130, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=15141, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=41675, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=63711, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=65395, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=31400, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=60289, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=31000, removal_flag=0, complte_flag=\x01, is_query=0] +BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=40187, removal_flag=0, complte_flag=\x01, is_query=0] diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log index 20c5e818c9..5cb0f62ae5 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl #types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 - zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR F F T F 2 - - F - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.wks/output b/testing/btest/Baseline/scripts.base.protocols.dns.wks/output index 49d861c74c..52ce957a48 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.wks/output +++ b/testing/btest/Baseline/scripts.base.protocols.dns.wks/output @@ -1 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +WKS, dns_msg, dns_answer diff --git a/testing/btest/Traces/dns/dns-binds.pcap b/testing/btest/Traces/dns/dns-binds.pcap new file mode 100644 index 0000000000000000000000000000000000000000..92ccc4125cea061391bd38cd337ea48ce68e7e0d GIT binary patch literal 492 zcmca|c+)~A1{MYcU}0bca*EgMCr;O6V+aDWLHNj8lS|jP_Own|`jUl%!Igo*MJJen z!9mb8lq;Osiz}Rw>(qP(QwD=OR@s{w6~IO?Ffg*GRwU*Y>7)(#iXLMlPn7z5R0caG+AWRz$ z@IdSVO0u%o3NbJu3$SubK^5RPI)o}95Nm@fz&`0UssM+oKdJ!ho;p+kj>arh0X}P0 vQ~|C output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output + +@load policy/protocols/dns/auth-addl + +event dns_BINDS(c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr) + { + print "BINDS", binds; + } diff --git a/testing/btest/scripts/base/protocols/dns/wks.pcap b/testing/btest/scripts/base/protocols/dns/wks.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/wks.pcap rename to testing/btest/scripts/base/protocols/dns/wks.zeek