Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change dns.log to include only standard DNS queries.

Browse source 
The scope of dns.log is now only standard queries (OPCODE == 0).  Other
kinds of queries (e.g. inverse query) were not handled correctly and
could interfere with the state tracking of the default DNS scripts.
This commit is contained in:
Jon Siwek 2014-01-28 13:56:22 -06:00
parent 0e0e74e49c
commit 31866f8f59
14 changed files with 44 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

17
scripts/base/protocols/dns/main.bro
View file

@ -206,6 +206,10 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
{
if ( msg$opcode != 0 )
# Currently only standard queries are tracked.
return;
hook set_session(c, msg, is_orig);
if ( msg$QR && msg$rcode != 0 && msg$num_queries == 0 )
@ -214,6 +218,10 @@ event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &prior
event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
{
if ( msg$opcode != 0 )
# Currently only standard queries are tracked.
return;
if ( ! msg$QR )
# This is weird: the inquirer must also be providing answers in
# the request, which is not what we want to track.
@ -249,7 +257,7 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=-5
{
if ( c$dns$ready )
if ( c?$dns && c$dns$ready )
{
Log::write(DNS::LOG, c$dns);
# This record is logged and no longer pending.
@ -260,6 +268,10 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
{
if ( msg$opcode != 0 )
# Currently only standard queries are tracked.
return;
c$dns$RD = msg$RD;
c$dns$TC = msg$TC;
c$dns$qclass = qclass;
@ -356,7 +368,8 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
{
c$dns$rejected = T;
if ( c?$dns )
c$dns$rejected = T;
}
event connection_state_remove(c: connection) &priority=-5