Merge remote branch 'origin/topic/seth/dns-updates'

* origin/topic/seth/dns-updates:
  Fixed some bugs with capturing data in the base DNS script.
  Some updates to the base DNS script.

Closes #702.

CHANGES

@@ -1,4 +1,27 @@
 
+2.0-beta-126 | 2011-12-18 15:18:05 -0800
+
+  * DNS updates.  (Seth Hall)
+
+    - Fixed some bugs with capturing data in the base DNS script.
+
+    - Answers and TTLs are now vectors.
+      
+    - A warning that was being generated (dns_reply_seen_after_done)
+      from transaction ID reuse is fixed.
+
+  * SSL updates. (Seth Hall)
+
+    - Added is_orig fields to the SSL events and adapted script.
+      
+    - Added a field named last_alert to the SSL log.
+      
+    - The x509_certificate function has an is_orig field now instead
+      of is_server and its position in the argument list has moved.
+
+    - A bit of reorganization and cleanup in the core analyzer. (Seth
+      Hall)
+
 2.0-beta-121 | 2011-12-18 15:10:15 -0800
 
   * Enable warnings for malformed Broxygen xref roles. (Jon Siwek)

VERSION

@@ -1 +1 @@
-2.0-beta-121
+2.0-beta-126

scripts/base/protocols/dns/main.bro

@@ -6,26 +6,26 @@ export {
 	redef enum Log::ID += { LOG };
 
 	type Info: record {
-		ts:            time            &log;
-		uid:           string          &log;
-		id:            conn_id         &log;
-		proto:         transport_proto &log;
-		trans_id:      count           &log &optional;
-		query:         string          &log &optional;
-		qclass:        count           &log &optional;
-		qclass_name:   string          &log &optional;
-		qtype:         count           &log &optional;
-		qtype_name:    string          &log &optional;
-		rcode:         count           &log &optional;
-		rcode_name:    string          &log &optional;
-		QR:            bool            &log &default=F;
-		AA:            bool            &log &default=F;
-		TC:            bool            &log &default=F;
-		RD:            bool            &log &default=F;
-		RA:            bool            &log &default=F;
-		Z:             count           &log &default=0;
-		TTL:           interval        &log &optional;
-		answers:       set[string]     &log &optional;
+		ts:            time               &log;
+		uid:           string             &log;
+		id:            conn_id            &log;
+		proto:         transport_proto    &log;
+		trans_id:      count              &log &optional;
+		query:         string             &log &optional;
+		qclass:        count              &log &optional;
+		qclass_name:   string             &log &optional;
+		qtype:         count              &log &optional;
+		qtype_name:    string             &log &optional;
+		rcode:         count              &log &optional;
+		rcode_name:    string             &log &optional;
+		QR:            bool               &log &default=F;
+		AA:            bool               &log &default=F;
+		TC:            bool               &log &default=F;
+		RD:            bool               &log &default=F;
+		RA:            bool               &log &default=F;
+		Z:             count              &log &default=0;
+		answers:       vector of string   &log &optional;
+		TTLs:          vector of interval &log &optional;
 
 		## This value indicates if this request/response pair is ready to be logged.
 		ready:         bool            &default=F;
@@ -102,7 +102,13 @@ function new_session(c: connection, trans_id: count): Info
 function set_session(c: connection, msg: dns_msg, is_query: bool)
 	{
 	if ( ! c?$dns_state || msg$id !in c$dns_state$pending )
+		{
 		c$dns_state$pending[msg$id] = new_session(c, msg$id);
+		# Try deleting this transaction id from the set of finished answers.
+		# Sometimes hosts will reuse ports and transaction ids and this should
+		# be considered to be a legit scenario (although bad practice).
+		delete c$dns_state$finished_answers[msg$id];
+		}
 
 	c$dns = c$dns_state$pending[msg$id];
 
@@ -134,20 +140,23 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 	{
 	set_session(c, msg, F);
 
-	c$dns$AA    = msg$AA;
-	c$dns$RA    = msg$RA;
-	c$dns$TTL   = ans$TTL;
-
 	if ( ans$answer_type == DNS_ANS )
 		{
+		c$dns$AA    = msg$AA;
+		c$dns$RA    = msg$RA;
+
 		if ( msg$id in c$dns_state$finished_answers )
 			event conn_weird("dns_reply_seen_after_done", c, "");
 
 		if ( reply != "" )
 			{
 			if ( ! c$dns?$answers )
-				c$dns$answers = set();
-			add c$dns$answers[reply];
+				c$dns$answers = vector();
+			c$dns$answers[|c$dns$answers|] = reply;
+
+			if ( ! c$dns?$TTLs )
+				c$dns$TTLs = vector();
+			c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
 			}
 
 		if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers )
@@ -164,7 +173,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 	if ( c$dns$ready )
 		{
 		Log::write(DNS::LOG, c$dns);
-		add c$dns_state$finished_answers[c$dns$trans_id];
 		# This record is logged and no longer pending.
 		delete c$dns_state$pending[c$dns$trans_id];
 		}

testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log

@@ -1,5 +1,5 @@
 #separator \x09
 #path	dns
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	QR	AA	TC	RD	RA	Z	TTL	answers	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	bool	count	interval	table	table	table
-930613226.529070	UWkUyAuUGXf	212.180.42.100	25000	131.243.64.3	53	tcp	34798	-	-	-	-	-	0	NOERROR	F	F	F	F	T	0	31337.000000	4.3.2.1	-	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	QR	AA	TC	RD	RA	Z	answers	TTLs	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	bool	count	vector	vector	table	table
+930613226.529070	UWkUyAuUGXf	212.180.42.100	25000	131.243.64.3	53	tcp	34798	-	-	-	-	-	0	NOERROR	F	F	F	F	T	0	4.3.2.1	31337.000000	-	-