From 07804232e6cbd2bfdd633183081ed82729686a6a Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 29 Sep 2025 15:58:48 -0700
Subject: [PATCH] fixup! Add opcode/opcode_name to DNS log record

---
 scripts/base/protocols/dns/consts.zeek        | 20 +++++++++++--------
 scripts/base/protocols/dns/main.zeek          |  5 +----
 testing/external/commit-hash.zeek-testing     |  2 +-
 .../external/commit-hash.zeek-testing-private |  2 +-
 4 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/scripts/base/protocols/dns/consts.zeek b/scripts/base/protocols/dns/consts.zeek
index 59cb77b660..32f7aa8934 100644
--- a/scripts/base/protocols/dns/consts.zeek
+++ b/scripts/base/protocols/dns/consts.zeek
@@ -195,10 +195,7 @@ export {
 		[6] = "ipv6hint",
 	} &default = function(n: count): string { return fmt("key-%d", n); };
 
-	## Mapping of DNS operation type codes to human readable string
-	## representation. The NetBIOS opcodes overlap the standard opcodes,
-	## hence putting the string versions at invalid values to make lookups
-	## possible.
+	## Mapping of DNS operation type codes to human readable string representation.
 	const opcodes = {
 		[0] = "query",
 		[1] = "iquery",
@@ -206,9 +203,16 @@ export {
 		[4] = "notify",
 		[5] = "dynamic-update",
 		[6] = "dso",
-		[0xFFFF5] = "netbios-registration",
-		[0xFFFF6] = "netbios-release",
-		[0xFFFF7] = "netbios-wack",
-		[0xFFFF8] = "netbios-refresh",
 	} &default = function(n: count): string { return fmt("opcode-%d", n); };
+
+	## Mapping of DNS operation type codes to human readable string representation for
+	## NetBIOS Name Service (NBNS) queries. These codes are defined in
+	## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1
+	const netbios_opcodes = {
+		[0] = "netbios-query",
+		[5] = "netbios-registration",
+		[6] = "netbios-release",
+		[7] = "netbios-wack",
+		[8] = "netbios-refresh",
+	} &default = function(n: count): string { return fmt("netbios-opcode-%d", n); };
 }
diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek
index 51453cb840..f39ec925b6 100644
--- a/scripts/base/protocols/dns/main.zeek
+++ b/scripts/base/protocols/dns/main.zeek
@@ -350,10 +350,7 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 
 	c$dns$opcode = msg$opcode;
 	if ( msg$is_netbios )
-		if ( msg$opcode >= 5 )
-			c$dns$opcode_name = opcodes[msg$opcode + 0xFFFF];
-		else
-			c$dns$opcode_name = fmt("netbios-%s", opcodes[msg$opcode]);
+		c$dns$opcode_name = netbios_opcodes[msg$opcode];
 	else
 		c$dns$opcode_name = opcodes[msg$opcode];
 	}
diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing
index 12478e9d4f..7758b32c42 100644
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@@ -1 +1 @@
-93e95f45b065ad643caafe9a1d7f67387985d3f9
+0f0a78fbe0bc690bede40da17d30c1fd2db273c6
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index f11d6afe5e..5f50ea511c 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-4d4fcbd54edb09c76e840d8a95e5f662c44d5edb
+80860e185460d347c969c04977fa7e99dff9eaab