fixup! Add opcode/opcode_name to DNS log record

2025-10-02 06:38:20 +00:00 · 2025-09-29 15:58:48 -07:00 · 2025-09-29 15:58:48 -07:00 · 07804232e6
commit 07804232e6
parent fb0fdf1dcf
4 changed files with 15 additions and 14 deletions
--- a/scripts/base/protocols/dns/consts.zeek
+++ b/scripts/base/protocols/dns/consts.zeek
@ -195,10 +195,7 @@ export {
 		[6] = "ipv6hint",
 	} &default = function(n: count): string { return fmt("key-%d", n); };

-	## Mapping of DNS operation type codes to human readable string
-	## representation. The NetBIOS opcodes overlap the standard opcodes,
-	## hence putting the string versions at invalid values to make lookups
-	## possible.
+	## Mapping of DNS operation type codes to human readable string representation.
 	const opcodes = {
 		[0] = "query",
 		[1] = "iquery",
@ -206,9 +203,16 @@ export {
 		[4] = "notify",
 		[5] = "dynamic-update",
 		[6] = "dso",
-		[0xFFFF5] = "netbios-registration",
-		[0xFFFF6] = "netbios-release",
-		[0xFFFF7] = "netbios-wack",
-		[0xFFFF8] = "netbios-refresh",
 	} &default = function(n: count): string { return fmt("opcode-%d", n); };
+
+	## Mapping of DNS operation type codes to human readable string representation for
+	## NetBIOS Name Service (NBNS) queries. These codes are defined in
+	## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1
+	const netbios_opcodes = {
+		[0] = "netbios-query",
+		[5] = "netbios-registration",
+		[6] = "netbios-release",
+		[7] = "netbios-wack",
+		[8] = "netbios-refresh",
+	} &default = function(n: count): string { return fmt("netbios-opcode-%d", n); };
 }
--- a/scripts/base/protocols/dns/main.zeek
+++ b/scripts/base/protocols/dns/main.zeek
@ -350,10 +350,7 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5

 	c$dns$opcode = msg$opcode;
 	if ( msg$is_netbios )
-		if ( msg$opcode >= 5 )
-			c$dns$opcode_name = opcodes[msg$opcode + 0xFFFF];
-		else
-			c$dns$opcode_name = fmt("netbios-%s", opcodes[msg$opcode]);
+		c$dns$opcode_name = netbios_opcodes[msg$opcode];
 	else
 		c$dns$opcode_name = opcodes[msg$opcode];
 	}
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@ -1 +1 @@
-93e95f45b065ad643caafe9a1d7f67387985d3f9
+0f0a78fbe0bc690bede40da17d30c1fd2db273c6
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-4d4fcbd54edb09c76e840d8a95e5f662c44d5edb
+80860e185460d347c969c04977fa7e99dff9eaab