Merge branch 'master' of https://github.com/FlyingWithJerome/zeek

Merge includes small changes, e.g. fixing the comsumption of remaining raw data. * 'master' of https://github.com/FlyingWithJerome/zeek: remove excussive fields in dns_svcb_rr address code reviews (formatting and type and intrusiveptr) newlines at the end of test outputs lazy commit use tabs in init-bare.zeek add svcb test case add a dns https test case remove test logs fix a few syntax errors initial commit for SVCB/HTTPS records
2025-10-02 06:38:20 +00:00 · 2021-10-19 14:54:56 +02:00 · 2021-10-19 14:54:56 +02:00 · 303e84ad86
commit 303e84ad86
parent 1b3b9a3cfc 605d4024e4
14 changed files with 180 additions and 1 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
 4.2.0-dev.271 | 2021-10-19 14:54:56 +0200
  * Add parsing of DNS SVCB/HTTPS records (FlyingWithJerome)
 4.2.0-dev.260 | 2021-10-15 09:45:45 +0100
  * logging/writers/ascii: shadow files: Add fsync() before rename(). This
--- a/3
+++ b/3
@ -35,6 +35,9 @@ New Functionality
  specifying ``-O ZAM`` on the command line.  See
  ``src/script_opt/ZAM/README.md`` for more information.
 - The DNS analyzer has initial support for the SVCB and HTTPS types. The new events
  are ``dns_SVCB`` and ``dns_HTTPS``.
 Changed Functionality
 ---------------------
--- a/2
+++ b/2
@ -1 +1 @@
-4.2.0-dev.260
+4.2.0-dev.271
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -3884,6 +3884,14 @@ type dns_loc_rr: record {
 	is_query: count;	##< The RR is a query/Response.
 };
 ## DNS SVCB and HTTPS RRs
 ##
 ## .. zeek:see:: dns_SVCB dns_HTTPS
 type dns_svcb_rr: record {
 	svc_priority: count;	##< Service priority for the current record, 0 indicates that this record is in AliasMode and cannot carry svc_params; otherwise this is in ServiceMode, and may include svc_params
 	target_name: string;	##< Target name, the hostname of the service endpoint.
 };
 # DNS answer types.
 #
 # .. zeek:see:: dns_answerr
--- a/scripts/base/protocols/dns/consts.zeek
+++ b/scripts/base/protocols/dns/consts.zeek
@ -172,4 +172,15 @@ export {
 		[4] = "SHA384",
 	} &default = function(n: count): string { return fmt("digest-%d", n); };
 	## SVCB/HTTPS SvcParam keys, as defined in
 	## https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-07.txt, sec 14.3.2
 	const svcparam_keys = {
 		[0] = "mandatory",
 		[1] = "alpn",
 		[2] = "no-default-alpn",
 		[3] = "port",
 		[4] = "ipv4hint",
 		[5] = "ech",
 		[6] = "ipv6hint",
 	} &default = function(n: count): string { return fmt("key-%d", n); };
 }
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -345,6 +345,14 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
 			status = ParseRR_LOC(msg, data, len, rdlength, msg_start);
 			break;
 		case detail::TYPE_SVCB:
 			status = ParseRR_SVCB(msg, data, len, rdlength, msg_start, TYPE_SVCB);
 			break;
 		case detail::TYPE_HTTPS:
 			status = ParseRR_SVCB(msg, data, len, rdlength, msg_start, TYPE_HTTPS);
 			break;
 		default:
 			if ( dns_unknown_reply && ! msg->skip_event )
@ -1687,6 +1695,65 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, const u_char*& data,
 	return rdlength == 0;
 	}
 bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data, int& len,
 								   int rdlength, const u_char* msg_start, const RR_Type& svcb_type)
 	{
 	const u_char* data_start = data;
 	// the smallest SVCB/HTTPS rr is 3 bytes:
 	// the first 2 bytes are for the svc priority, and the third byte is root (0x0)
 	if ( len < 3 )
 		{
 		analyzer->Weird("DNS_SVBC_wrong_length");
 		return false;
 		}
 	uint16_t svc_priority = ExtractShort(data, len);
 	u_char target_name[513];
 	int name_len = sizeof(target_name) - 1;
 	u_char* name_end = ExtractName(data, len, target_name, name_len, msg_start, false);
 	if ( ! name_end )
 		return false;
 	// target name can be root - in this case the alternative endpoint is
 	// qname itself. make sure that we print "." instead of an empty string
 	if ( name_end - target_name == 0 )
 		{
 		target_name[0] = '.';
 		target_name[1] = '\0';
 		name_end = target_name+1;
 		}
 	SVCB_DATA svcb_data = {
 		.svc_priority = svc_priority,
 		.target_name = make_intrusive<StringVal>(new String(target_name, name_end - target_name, true)),
 	};
 	// TODO: parse svcparams
 	// we consume all the remaining raw data (svc params) but do nothing.
 	// this should be removed if the svc param parser is ready
 	std::ptrdiff_t parsed_bytes = data - data_start;
 	if ( parsed_bytes < rdlength )
 		{
 		len -= ( rdlength - parsed_bytes );
 		data += ( rdlength - parsed_bytes );
 		}
 	switch( svcb_type )
 		{
 		case detail::TYPE_SVCB:
 			analyzer->EnqueueConnEvent(dns_SVCB, analyzer->ConnVal(), msg->BuildHdrVal(),
 									msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
 			break;
 		case detail::TYPE_HTTPS:
 			analyzer->EnqueueConnEvent(dns_HTTPS, analyzer->ConnVal(), msg->BuildHdrVal(),
 									msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
 			break;
 		default: break; // unreachable. for suppressing compiler warnings.
 		}
 	return true;
 	}
 void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
                                             const u_char*& data, int& len, String* question_name,
                                             String* original_name)
@ -1987,6 +2054,18 @@ RecordValPtr DNS_MsgInfo::BuildLOC_Val(LOC_DATA* loc)
 	return r;
 	}
 RecordValPtr DNS_MsgInfo::BuildSVCB_Val(const SVCB_DATA& svcb)
 	{
 	static auto dns_svcb_rr = id::find_type<RecordType>("dns_svcb_rr");
 	auto r = make_intrusive<RecordVal>(dns_svcb_rr);
 	r->Assign(0, svcb.svc_priority);
 	r->Assign(1, svcb.target_name);
 	// TODO: assign values to svcparams
 	return r;
 	}
 	} // namespace detail
 Contents_DNS::Contents_DNS(Connection* conn, bool orig, detail::DNS_Interpreter* arg_interp)
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@ -71,6 +71,8 @@ enum RR_Type
 	TYPE_DS = 43, ///< Delegation signer (RFC 4034)
 	TYPE_NSEC3 = 50,
 	TYPE_NSEC3PARAM = 51, ///< Contains the NSEC3 parameters (RFC 5155)
 	TYPE_SVCB = 64, ///< SerViCe Binding (RFC draft: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-1.1)
 	TYPE_HTTPS = 65, ///< HTTPS record (HTTPS specific SVCB resource record)
 	// Obsoleted
 	TYPE_SPF = 99, ///< Alternative: storing SPF data in TXT records, using the same format (RFC
 	               ///< 4408). Support for it was discontinued in RFC 7208
@ -148,6 +150,18 @@ enum DNSSEC_Digest
 	SHA384 = 4,
 	};
 ///< all keys are defined in RFC draft https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-14.3.2
 enum SVCPARAM_Key
 	{
 	mandatory = 0,
 	alpn = 1,
 	no_default_alpn = 2,
 	port = 3,
 	ipv4hint = 4,
 	ech = 5,
 	ipv6hint = 6,
 	};
 struct DNS_RawMsgHdr
 	{
 	unsigned short id;
@ -269,6 +283,12 @@ struct LOC_DATA
 	unsigned long altitude; // 32
 	};
 struct SVCB_DATA
 	{
 	uint16_t svc_priority; // 2
 	StringValPtr target_name;
 	};
 class DNS_MsgInfo
 	{
 public:
@ -288,6 +308,7 @@ public:
 	RecordValPtr BuildDS_Val(struct DS_DATA*);
 	RecordValPtr BuildBINDS_Val(struct BINDS_DATA*);
 	RecordValPtr BuildLOC_Val(struct LOC_DATA*);
 	RecordValPtr BuildSVCB_Val(const struct SVCB_DATA&);
 	int id;
 	int opcode; ///< query type, see DNS_Opcode
@ -393,6 +414,8 @@ protected:
 	                   const u_char* msg_start);
 	bool ParseRR_LOC(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
 	                 const u_char* msg_start);
 	bool ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
 	                 const u_char* msg_start, const RR_Type& svcb_type);
 	void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
 	                            const u_char*& data, int& len, String* question_name,
 	                            String* original_name);
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@ -721,6 +721,37 @@ event dns_SSHFP%(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fpty
 ## loc: The parsed RDATA of LOC type record.
 event dns_LOC%(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr%);
 ## Generated for DNS replies of type *SVCB* (General Purpose Service Endpoints).
 ## See `RFC draft for DNS SVCB/HTTPS <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
 ## for more information about DNS SVCB/HTTPS resource records.
 ## For replies with multiple answers, an individual event of the corresponding type is raised for each.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
 ##    transport-layer session being analyzed.
 ##
 ## msg: The parsed DNS message header.
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
 ## svcb: The parsed RDATA of SVCB type record.
 event dns_SVCB%(c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr%);
 ## Generated for DNS replies of type *HTTPS* (HTTPS Specific Service Endpoints).
 ## See `RFC draft for DNS SVCB/HTTPS <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
 ## for more information about DNS SVCB/HTTPS resource records.
 ## Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. 
 ## For replies with multiple answers, an individual event of the corresponding type is raised for each.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
 ##    transport-layer session being analyzed.
 ##
 ## msg: The parsed DNS message header.
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
 ## https: The parsed RDATA of HTTPS type record.
 event dns_HTTPS%(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr%);
 ## Generated at the end of processing a DNS packet. This event is the last
 ## ``dns_*`` event that will be raised for a DNS query/reply and signals that
 ## all resource records have been passed on.
--- a/testing/btest/Baseline/scripts.base.protocols.dns.https/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.https/output
@ -0,0 +1 @@
 [svc_priority=1, target_name=.]
--- a/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
@ -0,0 +1 @@
 [svc_priority=0, target_name=foo.example.com]
--- a/testing/btest/Traces/dns-https.pcap
+++ b/testing/btest/Traces/dns-https.pcap
--- a/testing/btest/Traces/dns-svcb.pcap
+++ b/testing/btest/Traces/dns-svcb.pcap
--- a/testing/btest/scripts/base/protocols/dns/https.zeek
+++ b/testing/btest/scripts/base/protocols/dns/https.zeek
@ -0,0 +1,9 @@
 # @TEST-EXEC: zeek -C -r $TRACES/dns-https.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl
 event dns_HTTPS(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr)
    {
    print https;
    }
--- a/testing/btest/scripts/base/protocols/dns/svcb.zeek
+++ b/testing/btest/scripts/base/protocols/dns/svcb.zeek
@ -0,0 +1,9 @@
 # @TEST-EXEC: zeek -C -r $TRACES/dns-svcb.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl
 event dns_SVCB(c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr)
    {
    print svcb;
    }
		`@ -0,0 +1 @@`
							`[svc_priority=0, target_name=foo.example.com]`