Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-01 22:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fixup! Add opcode/opcode_name to DNS log record

Browse source
This commit is contained in:
Tim Wojtulewicz 2025-09-29 15:58:48 -07:00
parent fb0fdf1dcf
commit 07804232e6
4 changed files with 15 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

20
scripts/base/protocols/dns/consts.zeek
View file

@ -195,10 +195,7 @@ export {
[6] = "ipv6hint", [6] = "ipv6hint",
} &default = function(n: count): string { return fmt("key-%d", n); }; } &default = function(n: count): string { return fmt("key-%d", n); };
## Mapping of DNS operation type codes to human readable string ## Mapping of DNS operation type codes to human readable string representation.
## representation. The NetBIOS opcodes overlap the standard opcodes,
## hence putting the string versions at invalid values to make lookups
## possible.
const opcodes = { const opcodes = {
[0] = "query", [0] = "query",
[1] = "iquery", [1] = "iquery",
@ -206,9 +203,16 @@ export {
[4] = "notify", [4] = "notify",
[5] = "dynamic-update", [5] = "dynamic-update",
[6] = "dso", [6] = "dso",
[0xFFFF5] = "netbios-registration",
[0xFFFF6] = "netbios-release",
[0xFFFF7] = "netbios-wack",
[0xFFFF8] = "netbios-refresh",
} &default = function(n: count): string { return fmt("opcode-%d", n); }; } &default = function(n: count): string { return fmt("opcode-%d", n); };
## Mapping of DNS operation type codes to human readable string representation for
## NetBIOS Name Service (NBNS) queries. These codes are defined in
## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1
const netbios_opcodes = {
[0] = "netbios-query",
[5] = "netbios-registration",
[6] = "netbios-release",
[7] = "netbios-wack",
[8] = "netbios-refresh",
} &default = function(n: count): string { return fmt("netbios-opcode-%d", n); };
} }

5
scripts/base/protocols/dns/main.zeek
View file

@ -350,10 +350,7 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
c$dns$opcode = msg$opcode; c$dns$opcode = msg$opcode;
if ( msg$is_netbios ) if ( msg$is_netbios )
if ( msg$opcode >= 5 ) c$dns$opcode_name = netbios_opcodes[msg$opcode];
c$dns$opcode_name = opcodes[msg$opcode + 0xFFFF];
else
c$dns$opcode_name = fmt("netbios-%s", opcodes[msg$opcode]);
else else
c$dns$opcode_name = opcodes[msg$opcode]; c$dns$opcode_name = opcodes[msg$opcode];
} }

2
testing/external/commit-hash.zeek-testing vendored
View file

@ -1 +1 @@
93e95f45b065ad643caafe9a1d7f67387985d3f9 0f0a78fbe0bc690bede40da17d30c1fd2db273c6

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
4d4fcbd54edb09c76e840d8a95e5f662c44d5edb 80860e185460d347c969c04977fa7e99dff9eaab