Change dns.log to include only standard DNS queries.

The scope of dns.log is now only standard queries (OPCODE == 0). Other kinds of queries (e.g. inverse query) were not handled correctly and could interfere with the state tracking of the default DNS scripts.
2025-10-02 06:38:20 +00:00 · 2014-01-28 13:56:22 -06:00 · 2014-01-28 13:56:22 -06:00 · 31866f8f59
commit 31866f8f59
parent 0e0e74e49c
14 changed files with 44 additions and 39 deletions
--- a/doc/scripting/connection_record_02.bro
+++ b/doc/scripting/connection_record_02.bro
@ -1,5 +1,5 @@
@load base/protocols/conn
-@load base/protocols/dns
+@load base/protocols/http

 event connection_state_remove(c: connection)
    {
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@ -232,7 +232,7 @@ overly populated.

 .. btest:: connection-record-01

-    @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_01.bro
+    @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_01.bro

 As you can see from the output, the connection record is something of
 a jumble when printed on its own.  Regularly taking a peek at a
@ -248,9 +248,9 @@ originating host is referenced by ``c$id$orig_h`` which if given a
 narrative relates to ``orig_h`` which is a member of ``id`` which is
 a member of the data structure referred to as ``c`` that was passed
 into the event handler." Given that the responder port
-(``c$id$resp_p``) is ``53/tcp``, it's likely that Bro's base DNS scripts
+(``c$id$resp_p``) is ``53/tcp``, it's likely that Bro's base HTTP scripts
 can further populate the connection record.  Let's load the
-``base/protocols/dns`` scripts and check the output of our script. 
+``base/protocols/http`` scripts and check the output of our script. 

 Bro uses the dollar sign as its field delimiter and a direct
 correlation exists between the output of the connection record and the
@ -262,16 +262,16 @@ brackets, which would correspond to the ``$``-delimiter in a Bro script.

 .. btest:: connection-record-02

-    @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_02.bro
+    @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_02.bro

-The addition of the ``base/protocols/dns`` scripts populates the
-``dns=[]`` member of the connection record.  While Bro is doing a
+The addition of the ``base/protocols/http`` scripts populates the
+``http=[]`` member of the connection record.  While Bro is doing a
 massive amount of work in the background, it is in what is commonly
 called "scriptland" that details are being refined and decisions
 being made. Were we to continue running in "bare mode" we could slowly
 keep adding infrastructure through ``@load`` statements.  For example,
 were we to ``@load base/frameworks/logging``, Bro would generate a
-``conn.log`` and ``dns.log`` for us in the current working directory.
+``conn.log`` and ``http.log`` for us in the current working directory.
 As mentioned above, including the appropriate ``@load`` statements is
 not only good practice, but can also help to indicate which
 functionalities are being used in a script.  Take a second to run the
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -206,6 +206,10 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5

 event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
 	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
 	hook set_session(c, msg, is_orig);

 	if ( msg$QR && msg$rcode != 0 && msg$num_queries == 0 )
@ -214,6 +218,10 @@ event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &prior

 event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
 	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
 	if ( ! msg$QR )
 		# This is weird: the inquirer must also be providing answers in
 		# the request, which is not what we want to track.
@ -249,7 +257,7 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)

 event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=-5
 	{
-	if ( c$dns$ready )
+	if ( c?$dns && c$dns$ready )
 		{
 		Log::write(DNS::LOG, c$dns);
 		# This record is logged and no longer pending.
@ -260,6 +268,10 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)

 event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
 	c$dns$RD          = msg$RD;
 	c$dns$TC          = msg$TC;
 	c$dns$qclass      = qclass;
@ -356,7 +368,8 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5

 event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
-	c$dns$rejected = T;
+	if ( c?$dns )
+		c$dns$rejected = T;
 	}

 event connection_state_remove(c: connection) &priority=-5
--- a/scripts/policy/protocols/dns/auth-addl.bro
+++ b/scripts/policy/protocols/dns/auth-addl.bro
@ -21,6 +21,10 @@ export {

 event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=4
 	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
 	# The "ready" flag will be set here.  This causes the setting from the 
 	# base script to be overridden since the base script will log immediately 
 	# after all of the ANS replies have been seen.
--- a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
@ -4,10 +4,10 @@
      :linenos:
      :emphasize-lines: 1,1

-      # bro -b -r dns-session.trace connection_record_01.bro
-      [id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={
+      # bro -b -r http/get.trace connection_record_01.bro
+      [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
      
-      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=930613226.067666, uid=CXWv6p3arKYeMETxOg, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=<uninitialized>, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={
+      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
      
      }], extract_orig=F, extract_resp=F]

--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@ -4,16 +4,14 @@
      :linenos:
      :emphasize-lines: 1,1

-      # bro -b -r dns-session.trace connection_record_02.bro
-      [id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={
+      # bro -b -r http/get.trace connection_record_02.bro
+      [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
      
-      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=930613226.067666, uid=CXWv6p3arKYeMETxOg, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=<uninitialized>, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={
+      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
      
-      }], extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=[pending={
-      [34798] = [initialized=T, vals={
+      }], extract_orig=F, extract_resp=F, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
      
-      }, settings=[max_len=<uninitialized>], top=1, bottom=1, size=0]
-      }, finished_answers={
+      }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
      
-      }]]
+      }, current_request=1, current_response=1]]

--- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output
@ -3,7 +3,7 @@
 connection_record_02.bro

@load base/protocols/conn
-@load base/protocols/dns
+@load base/protocols/http

 event connection_state_remove(c: connection)
    {
--- a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	dns
-#open	2013-08-26-19-04-37
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	table[string]	table[string]
-930613226.518174	CXWv6p3arKYeMETxOg	212.180.42.100	25000	131.243.64.3	53	tcp	34798	-	-	-	-	-	0	NOERROR	F	F	F	T	0	4.3.2.1	31337.000000	F	-	-
-#close	2013-08-26-19-04-37
--- a/testing/btest/Traces/dns-inverse-query.trace
+++ b/testing/btest/Traces/dns-inverse-query.trace
--- a/testing/btest/doc/sphinx/connection-record-01.btest
+++ b/testing/btest/doc/sphinx/connection-record-01.btest
@ -1 +1 @@
-@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_01.bro
+@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_01.bro
--- a/testing/btest/doc/sphinx/connection-record-02.btest
+++ b/testing/btest/doc/sphinx/connection-record-02.btest
@ -1 +1 @@
-@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_02.bro
+@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_02.bro
--- a/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest
@ -3,7 +3,7 @@
 connection_record_02.bro

@load base/protocols/conn
-@load base/protocols/dns
+@load base/protocols/http

 event connection_state_remove(c: connection)
    {
--- a/testing/btest/scripts/policy/protocols/dns/event-priority.bro
+++ b/testing/btest/scripts/policy/protocols/dns/event-priority.bro
@ -1,4 +0,0 @@
-# @TEST-EXEC: bro -r $TRACES/dns-session.trace %INPUT 
-# @TEST-EXEC: btest-diff dns.log
-
-@load protocols/dns/auth-addl
--- a/testing/btest/scripts/policy/protocols/dns/inverse-request.bro
+++ b/testing/btest/scripts/policy/protocols/dns/inverse-request.bro
@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/dns-inverse-query.trace %INPUT 
+# @TEST-EXEC: test ! -e dns.log
+
+@load protocols/dns/auth-addl