From 15b294098c8c969af2d90dac6b78565bd0789f9f Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 15 Jul 2021 09:56:38 -0500
Subject: [PATCH] dns_HINFO_reply event was never being generated.

On top of that, I modified the event to pass the relevant fields from the DNS message.
---
 src/analyzer/protocol/dns/DNS.cc              |  32 +++++++++++++-----
 src/analyzer/protocol/dns/events.bif          |   3 +-
 .../scripts.base.protocols.dns.hinfo/.stdout  |   2 ++
 testing/btest/Traces/dns/hinfo.pcap           | Bin 0 -> 260 bytes
 .../scripts/base/protocols/dns/hinfo.zeek     |   9 +++++
 5 files changed, 36 insertions(+), 10 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout
 create mode 100644 testing/btest/Traces/dns/hinfo.pcap
 create mode 100644 testing/btest/scripts/base/protocols/dns/hinfo.zeek

diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 3ea8ab4550..243231ae0e 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1650,15 +1650,6 @@ bool DNS_Interpreter::ParseRR_WKS(detail::DNS_MsgInfo* msg,
 	return true;
 	}
 
-bool DNS_Interpreter::ParseRR_HINFO(detail::DNS_MsgInfo* msg,
-                                    const u_char*& data, int& len, int rdlength)
-	{
-	data += rdlength;
-	len -= rdlength;
-
-	return true;
-	}
-
 static StringValPtr
 extract_char_string(analyzer::Analyzer* analyzer,
                     const u_char*& data, int& len, int& rdlen)
@@ -1687,6 +1678,29 @@ extract_char_string(analyzer::Analyzer* analyzer,
 	return rval;
 	}
 
+bool DNS_Interpreter::ParseRR_HINFO(detail::DNS_MsgInfo* msg,
+                                    const u_char*& data, int& len, int rdlength)
+	{
+	if ( ! dns_HINFO_reply || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return true;
+		}
+
+	auto cpu = extract_char_string(analyzer, data, len, rdlength);
+	auto os = extract_char_string(analyzer, data, len, rdlength);
+
+	if ( dns_HINFO_reply )
+		analyzer->EnqueueConnEvent(dns_HINFO_reply,
+			analyzer->ConnVal(),
+			msg->BuildHdrVal(),
+			msg->BuildAnswerVal(),
+			cpu, os);
+
+	return rdlength == 0;
+	}
+
 bool DNS_Interpreter::ParseRR_TXT(detail::DNS_MsgInfo* msg,
                                   const u_char*& data, int& len, int rdlength,
                                   const u_char* msg_start)
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index 1c5dbcd11e..40c6cf9f66 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -334,7 +334,8 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
+event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer, cpu: string, os: string%);
+event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &deprecated="Remove in v5.2. Use the definition with the extra parameters for cpu and os.";
 
 ## Generated for DNS replies of type *MX*. For replies with multiple answers, an
 ## individual event of the corresponding type is raised for each.
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout b/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout
new file mode 100644
index 0000000000..491bc4081a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=1, num_auth=0, num_addl=1], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows
diff --git a/testing/btest/Traces/dns/hinfo.pcap b/testing/btest/Traces/dns/hinfo.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..07d4cac887436df27448c2e1d8f7f20c413def24
GIT binary patch
literal 260
zcmca|c+)~A1{MYcU}0bca`rfUNbsM)%@7V`gYc2HCYP>n?P;B`^d$=igDV4rXY2|F
z1_wbFW3F&!A+B&nuIJJWrVOUr|DEh$Q~(>nz`)2-m71E(o?4NZTac5=oR?a{z`zTV
z(-Z(22?8K%mdxO0C<U@X7-9j$GO#u2e^nV6>;+S&gRB5q#b64wDA>*9WJhZQ&?t~w
paaePJ2VxnY0D};xr(cMxkFK$W8GCqUUP^v>G0+h#7l4|900936JwE^d

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dns/hinfo.zeek b/testing/btest/scripts/base/protocols/dns/hinfo.zeek
new file mode 100644
index 0000000000..0ab76ff06e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/hinfo.zeek
@@ -0,0 +1,9 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dns/hinfo.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/dns
+
+event dns_HINFO_reply(c: connection, msg: dns_msg, ans: dns_answer, cpu: string, os: string)
+	{
+	print "HINFO", msg, ans, cpu, os;
+	}