Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Parse SVCB/HTTPS SvcParams list

Browse source 
Add full support for RFC 9460's SvcParams list.

Amend the existing `dns_svcb_rr` record by a vector of new
`dns_svcb_param` records containing aptly typed SvcParamKey and
SvcParamValue pairs.  Example output:

```
@load base/protocols/dns
event dns_HTTPS( c: connection , msg: dns_msg , ans: dns_answer , https: dns_svcb_rr ) {
	for (_, param in https$svc_params)
		print to_json(param);  # filter uninitialised values
}
```

```
$ dig https cloudflare-ech.com +short | tr [:space:] \\n
1
.
alpn="h3,h2"
ipv4hint=104.18.10.118,104.18.11.118
ech=AEX+DQBBHgAgACBGL2e9TiFwjK/w1Zg9AmRm7mgXHz3PjffP0mTFNMxmDQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=
ipv6hint=2606:4700::6812:a76,2606:4700::6812:b76
```

```
{"key":1,"alpn":["h3","h2"]}
{"key":4,"hint":["104.18.10.118","104.18.11.118"]}
{"key":5,"ech":"AEX+DQBBHgAgACBGL2e9TiFwjK/w1Zg9AmRm7mgXHz3PjffP0mTFNMxmDQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA="}
{"key":6,"hint":["2606:4700::6812:a76","2606:4700::6812:b76"]}
```

Values with malformed data or belonging to invalid/reserved keys
are passed raw bytes in network order for script-level inspection.

Follow up to "Initial Support to DNS SVCB/HTTPS RR"
https://github.com/zeek/zeek/pull/1808
This commit is contained in:
Klemens Nanni 2025-07-30 20:44:53 +03:00
parent f38ac30418
commit 397f7e5c0e
9 changed files with 214 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

24
scripts/base/init-bare.zeek
View file

@ -3071,12 +3071,30 @@ type dns_loc_rr: record {
is_query: count; ##< The RR is a query/Response.
};
## DNS SVCB and HTTPS RRs
## A SvcParamKey with an optional SvcParamValue.
#
## .. zeek:see:: dns_svcb_rr
type dns_svcb_param: record {
key: count; ##< SvcParamKey
mandatory: vector of count &optional; ##< "mandatory" SvcParamKey values
alpn: vector of string &optional; ##< "alpn" IDs
p: count &optional; ##< "port" number, TCP or UDP
hint: vector of addr &optional; ##< "ipv4hint" or "ipv6hint" IP addresses
ech: string &optional; ##< "ech" base64 encoded ECHConfigList blob
raw: string &optional; ##< reserved key's or malformed value
};
type dns_svcb_param_vec: vector of dns_svcb_param;
## A SVCB or HTTPS record.
##
## See also RFC 9460 - Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records).
##
## .. zeek:see:: dns_SVCB dns_HTTPS
type dns_svcb_rr: record {
svc_priority: count; ##< Service priority for the current record, 0 indicates that this record is in AliasMode and cannot carry svc_params; otherwise this is in ServiceMode, and may include svc_params
target_name: string; ##< Target name, the hostname of the service endpoint.
svc_priority: count; ##< Service priority. If zero, the record is in AliasMode and has no SvcParam.
target_name: string; ##< Target name, the hostname of the service endpoint.
svc_params: dns_svcb_param_vec &optional; ##< Service parameters, if any.
};
## A NAPTR record.