From e7146c2a6b4e06b2097f466259abdd71af5f2305 Mon Sep 17 00:00:00 2001 From: Ron Wellman Date: Fri, 19 Jun 2020 22:04:41 -0400 Subject: [PATCH 1/4] Implement EDNS Client Subnet Option --- scripts/base/init-bare.zeek | 10 ++ scripts/base/protocols/dns/main.zeek | 4 + src/NetVar.cc | 1 + src/NetVar.h | 2 + src/analyzer/protocol/dns/DNS.cc | 95 ++++++++++++++++-- src/analyzer/protocol/dns/DNS.h | 32 ++++++ src/analyzer/protocol/dns/events.bif | 23 +++++ src/legacy-netvar-init.cc | 1 + .../output | 10 ++ testing/btest/Traces/dns-edns-ecs.pcap | Bin 0 -> 38291 bytes .../base/protocols/dns/dns-edns-ecs.zeek | 8 ++ 11 files changed, 177 insertions(+), 9 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-ecs/output create mode 100644 testing/btest/Traces/dns-edns-ecs.pcap create mode 100644 testing/btest/scripts/base/protocols/dns/dns-edns-ecs.zeek diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index edef9350a8..332f86211b 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3676,6 +3676,16 @@ type dns_edns_additional: record { is_query: count; ##< TODO. }; +## An DNS EDNS Client Subnet (ECS) record. +## +## .. zeek:see:: dns_EDNS_ecs +type dns_edns_ecs: record { + family: string; ##< IP Family + source_prefix_len: count; ##< Source Prefix Length. + scope_prefix_len: count; ##< Scope Prefix Length. + address: string; ##< Client Subnet Address. +}; + ## An additional DNS TSIG record. ## ## .. zeek:see:: dns_TSIG_addl diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek index 7b7f6c2176..0a0da1aa82 100644 --- a/scripts/base/protocols/dns/main.zeek +++ b/scripts/base/protocols/dns/main.zeek @@ -527,6 +527,10 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string # { # # } +# event dns_EDNS_ecs(c: connection, msg: dns_msg, opt: dns_edns_ecs) +# { +# +# } # #event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional) # { diff --git a/src/NetVar.cc b/src/NetVar.cc index 44d5950d27..7628f1d9eb 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -107,6 +107,7 @@ zeek::RecordType* dns_msg; zeek::RecordType* dns_answer; zeek::RecordType* dns_soa; zeek::RecordType* dns_edns_additional; +zeek::RecordType* dns_edns_ecs; zeek::RecordType* dns_tsig_additional; zeek::RecordType* dns_rrsig_rr; zeek::RecordType* dns_dnskey_rr; diff --git a/src/NetVar.h b/src/NetVar.h index 3192007a4a..9c1017d96e 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -149,6 +149,8 @@ extern zeek::RecordType* dns_soa; [[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_edns_additional; [[deprecated("Remove in v4.1. Perform your own lookup.")]] +extern zeek::RecordType* dns_edns_ecs; +[[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_tsig_additional; [[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_rrsig_rr; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 09458db5f9..2a3f13e1d6 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -700,8 +700,6 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start) { - // We need a pair-value set mechanism here to dump useful information - // out to the policy side of the house if rdlength > 0. if ( dns_EDNS_addl && ! msg->skip_event ) analyzer->EnqueueConnEvent(dns_EDNS_addl, @@ -710,13 +708,79 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, msg->BuildEDNS_Val() ); - // Currently EDNS supports the movement of type:data pairs - // in the RR_DATA section. Here's where we should put together - // a corresponding mechanism. - if ( rdlength > 0 ) - { // deal with data - data += rdlength; - len -= rdlength; + // parse EDNS options + while ( len > 0 ) + { + uint16_t option_code = ExtractShort(data, len); + int option_len = ExtractShort(data, len); + len -= option_len; + + // TODO: Implement additional option codes + switch ( option_code ) + { + case TYPE_ECS: + { + struct EDNS_ECS opt; + uint16_t ecs_family = ExtractShort(data, option_len); + uint16_t source_scope = ExtractShort(data, option_len); + opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff; + opt.ecs_scp_pfx_len = source_scope & 0xff; + + // ADDRESS, variable number of octets, contains either an IPv4 or + // IPv6 address, depending on FAMILY, which MUST be truncated to the + // number of bits indicated by the SOURCE PREFIX-LENGTH field, + // padding with 0 bits to pad to the end of the last octet needed. + if ( ecs_family == L3_IPV4) + { + opt.ecs_family = make_intrusive("v4"); + uint32_t addr = 0; + for (uint16_t shift_factor = 3; option_len > 0; option_len--) + { + addr |= data[0] << (shift_factor * 8); + data++; + shift_factor--; + } + addr = htonl(addr); + opt.ecs_addr = make_intrusive(addr); + } + else if ( ecs_family == L3_IPV6 ) + { + opt.ecs_family = make_intrusive("v6"); + uint32_t addr[4] = { 0 }; + for (uint16_t i = 0, shift_factor = 15; option_len > 0; option_len--) + { + addr[i / 4] |= data[0] << ((shift_factor % 4) * 8); + data++; + i++; + shift_factor--; + } + + for (uint8_t i = 0; i < 4; i++) + { + addr[i] = htonl(addr[i]); + } + opt.ecs_addr = make_intrusive(addr); + } + else + { + // non ipv4/ipv6 family address + data += option_len; + break; + } + + analyzer->EnqueueConnEvent(dns_EDNS_ecs, + analyzer->ConnVal(), + msg->BuildHdrVal(), + msg->BuildEDNS_ECS_Val(&opt) + ); + break; + } + default: + { + data += option_len; + break; + } + } } return true; @@ -1518,6 +1582,19 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val() return r; } +zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt) + { + static auto dns_edns_ecs = zeek::id::find_type("dns_edns_ecs"); + auto r = make_intrusive(dns_edns_ecs); + + r->Assign(0, opt->ecs_family); + r->Assign(1, val_mgr->Count(opt->ecs_src_pfx_len)); + r->Assign(2, val_mgr->Count(opt->ecs_scp_pfx_len)); + r->Assign(3, opt->ecs_addr); + + return r; + } + zeek::RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) { static auto dns_tsig_additional = zeek::id::find_type("dns_tsig_additional"); diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 73a882a985..554355d01a 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -81,6 +81,27 @@ typedef enum { DNS_ADDITIONAL, } DNS_AnswerType; +// https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml +// DNS EDNS0 Option Codes (OPT) +typedef enum { + TYPE_LLQ = 1, ///< https://www.iana.org/go/draft-sekar-dns-llq-06 + TYPE_UL = 2, ///< http://files.dns-sd.org/draft-sekar-dns-ul.txt + TYPE_NSID = 3, ///< RFC5001 + TYPE_DAU = 5, ///< RFC6975 + TYPE_DHU = 6, ///< RFC6975 + TYPE_N3U = 7, ///< RFC6975 + TYPE_ECS = 8, ///< RFC7871 + TYPE_EXPIRE = 9, ///< RFC7314 + TYPE_TCP_KA = 11, ///< RFC7828 + TYPE_PAD = 12, ///< RFC7830 + TYPE_CHAIN = 13, ///< RFC7901 + TYPE_KEY_TAG = 14, ///< RFC8145 + TYPE_ERROR = 15, ///< https://www.iana.org/go/draft-ietf-dnsop-extended-error-16 + TYPE_CLIENT_TAG = 16, ///< https://www.iana.org/go/draft-bellis-dnsop-edns-tags + TYPE_SERVER_TAG = 17, ///< https://www.iana.org/go/draft-bellis-dnsop-edns-tags + TYPE_DEVICE_ID = 26946 ///< https://docs.umbrella.com/developer/networkdevices-api/identifying-dns-traffic2 +} EDNS_OPT_Type; + typedef enum { reserved0 = 0, RSA_MD5 = 1, ///< [RFC2537] NOT RECOMMENDED @@ -128,6 +149,13 @@ struct EDNS_ADDITIONAL { // size unsigned short rdata_len; // 16 }; +struct EDNS_ECS { + IntrusivePtr ecs_family; ///< EDNS client subnet address family + uint16_t ecs_src_pfx_len; ///< EDNS client subnet source prefix length + uint16_t ecs_scp_pfx_len; ///< EDNS client subnet scope prefix length + IntrusivePtr ecs_addr; ///< EDNS client subnet address +}; + struct TSIG_DATA { zeek::String* alg_name; unsigned long time_s; @@ -182,6 +210,7 @@ public: zeek::RecordValPtr BuildHdrVal(); zeek::RecordValPtr BuildAnswerVal(); zeek::RecordValPtr BuildEDNS_Val(); + zeek::RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*); zeek::RecordValPtr BuildTSIG_Val(struct TSIG_DATA*); zeek::RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*); zeek::RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*); @@ -271,6 +300,9 @@ protected: bool ParseRR_EDNS(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start); + bool ParseRR_EDNS_ECS(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); bool ParseRR_A(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength); bool ParseRR_AAAA(DNS_MsgInfo* msg, diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index d0a5411344..31e9a11625 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -505,6 +505,29 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); +## Generated for DNS replies of type *EDNS*. For replies with multiple options, +## an individual event is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## opt: The parsed EDNS option. +## +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_EDNS_ecs%(c: connection, msg: dns_msg, opt: dns_edns_ecs%); + ## Generated for DNS replies of type *TSIG*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. ## diff --git a/src/legacy-netvar-init.cc b/src/legacy-netvar-init.cc index f5f7ee52f0..de4dc83972 100644 --- a/src/legacy-netvar-init.cc +++ b/src/legacy-netvar-init.cc @@ -42,6 +42,7 @@ void zeek_legacy_netvar_init() ::dns_answer = zeek::id::find_type("dns_answer")->AsRecordType(); ::dns_soa = zeek::id::find_type("dns_soa")->AsRecordType(); ::dns_edns_additional = zeek::id::find_type("dns_edns_additional")->AsRecordType(); + ::dns_edns_ecs = zeek::id::find_type("dns_edns_ecs")->AsRecordType(); ::dns_tsig_additional = zeek::id::find_type("dns_tsig_additional")->AsRecordType(); ::dns_rrsig_rr = zeek::id::find_type("dns_rrsig_rr")->AsRecordType(); ::dns_dnskey_rr = zeek::id::find_type("dns_dnskey_rr")->AsRecordType(); diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-ecs/output b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-ecs/output new file mode 100644 index 0000000000..7e47b5a201 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-ecs/output @@ -0,0 +1,10 @@ +[family=v4, source_prefix_len=24, scope_prefix_len=0, address=213.61.29.0] +[family=v4, source_prefix_len=24, scope_prefix_len=0, address=213.61.29.0] +[family=v6, source_prefix_len=56, scope_prefix_len=0, address=2001:470:1f0b:1600::] +[family=v6, source_prefix_len=56, scope_prefix_len=0, address=2001:470:1f0b:1600::] +[family=v6, source_prefix_len=56, scope_prefix_len=0, address=2001:470:1f0b:1600::] +[family=v6, source_prefix_len=56, scope_prefix_len=0, address=2001:470:1f0b:1600::] +[family=v6, source_prefix_len=56, scope_prefix_len=0, address=2001:470:1f0b:1600::] +[family=v6, source_prefix_len=56, scope_prefix_len=0, address=2001:470:1f0b:1600::] +[family=v6, source_prefix_len=56, scope_prefix_len=0, address=2001:470:1f0b:1600::] +[family=v6, source_prefix_len=56, scope_prefix_len=0, address=2001:470:1f0b:1600::] diff --git a/testing/btest/Traces/dns-edns-ecs.pcap b/testing/btest/Traces/dns-edns-ecs.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0357459a8d3dd8760dc49530ce70caf1002bee8c GIT binary patch literal 38291 zcmeHw2|QHa`~RK6kbTciNVM4ZE!oMMq(WJODVAxXd4fNbM&{#1<4+Fk0jitqk;Rb`RNN$$u`404X=I9v($RKk& zW)vg14n$1}Szz4=v|VbvI|ojSuTr(L_gDtmgMY(q(fwN7PyO!f4kybU-3qaiYgV#xu4kZ{8;h=djrhuHxAvk;03 z3`oytWx?cWwI=j%uN)D-WoJG1$@AsBG&Nmi#ldv0WgYu|*>A~$6mL&NM|q7Y&CHw{ zmN>*-HKHo+duQOd=VK^B<<$xC-kb~k>1S@W1agO*J1w=_C2g?HB+(AN!$n+DMl;ph z@5!L?$5ms(mK#$#2aPIXR;-I`Rk>HiyraQ+t@Xd${D%8Mj%i+P zzb5mI1TjkO+7pf?H(qEskL(DJyx`2D!Gn>>| z?_2HaC+sVm43jt9j=RCWx|(Wp=hwpPYqEEBv}SHwQx~cUu;WdtQ zY(Ik4Un|q4+RpZi^jv5zTj9&!>WxMMCU_r>h2K`|OE5$Yv~Z?(^-<>gO?Xufxk+4k zTUL?5e%k6Hdcy30)uznSFwF}U>9sQsnvaq{^&Q={A*$q_%npmYVxPOJ(FYo1cc=Y` zGopWDKDj>Tl%y)}n@wlM`yTrWm08KMS+3vv1ebwgUdbF$P72LXlCCfw0=ST<9%-;qElvo@J$so65eUW$INk zg4Z0(y?V7mmr=$^=0|smhSt*w@;#aFjIb+x; zF5@7p)sS>fu<(mB?AAqmP*T&gb_=GwqbXY7UNU^MbeT3VWNAG3N%PkG z@OzfL*(EC11x`UUCEE{DXSr3%`!H9f40LAZNxo;5*q|nU^25gy3J?c#PhI}Bhh}^q zwOVC;$fTm^z-2vsO$A4eO%^-{Z9X@$Kq1dnRnQ*{&t5y;BM~}kkVuHE^;rDkei~-|fD49-p(ymZ?~TaUGU1cs{6kI}C)XIhjE5C-~2o3>l-p)p!AsqE7oN>x-ggWa? zH-F4bxMPK8Tj^VqjEwJ59N(%Q`An@1O_(Y8#9GJyzBrDbJH?Lwo3dv5JvNmU5|?k@ z+A49kW0dP!A;ak%$=r0D)}>Dvh{C7jd{)3HVYOx-JxTbqy?f)%_XBi8OFO*T?akqN$-S=M>1dy*{O$wZ^?%&xik+ zMyT@ic%{Ubz1Jc)G=3XVZOeJ_+)bwH5~q+><{tCVTpHfS!q}6iHhyPrEbCKcc_&jk zk(m50Gnu_@O`J7#0fwj9ik44}Nfaw^R`{q((@L{4!K|7D^Tz{wLbb#{8YI=|pW8;) zlEBgVeT?2rwMhN>*U=%n>y52vDZlI zTl7JL$!kP7Byw+@Iq7;dtM5``u$p{dzcHHjqkfa;552TB59+ z-@XabKjqFyaYxKH_q%Y*)xm-0YrFwk&5AFcq#(j~qr9qB?nN>v2bd|`NbMU+wv&eK zyRjU$Z+J#haRP+z$jxXzPuQ|SgCI1Kbn)|$h5Vn=!+Fm-Frk2;uh0)1xf+eDm%ZaU ze^+~HIeGAjm8yIrYAqx%EJb$tz!A|-=6%W!H#S`g(HD=qgGU9C8FXIx{CB5p(o z=J-i986*kDh8yX80wsvS&7W2{6Xs79Cs6e9>-aoz9toa5Q7qyZX!@_`Pd2}pKh4jW zh-Xy)Wd3AL9M=%@r$3k9^&$>kmLqB`YcV?R8_yTlEvMNy5E)5m==uCs3}r=MdC$H#?j-NN&C5HbkI|&M_}p0@s=Y(f%J?|F z|N3Z@Q@MyLd#b--UvQYliIVbizfYg{T8>Yws0c5+_clk0w{SQyw7|B0h_>=p#AB-G zkdDr%ApOd6#_QD8Y3<@kGPhTWTW^1>O-H6DwIw>LO)XD*eJge?9s|H9c@2cg1btk} zgyS2Rk1x&l33jKQk8Ytx>ki-a=(3KYsS7xpr)eY5xAppKXX?8*zUqIe>3VklLwii; zS*zZnGUsLG#StA&e9|`*1}N$_YIDk7lNRgq5?Xhb1#_U+vU+7~_(SxR*b&Y>^rc)K z$IRRdlnl!u26FV>(PW|Y*(>$d`r?Ymv5u1yEqtm9w|!L$!T5g_?lsQ%&P*i|{==7c#U&S;;L zP5Cr};W2Q+u9RNlI_jO>tqEG0Ge)%j z6{c5O%2)Sv*knh$W~4FlUsdWZkk6%JyoXKuT6c~c6=G+{DOK8|D8 z!iDT$v^$gFGz%@eQChM3m|AGvp1^2oy5|*#1FN2AEAm$zxM@^Ke_v&&c-bpH=XG{( z&8VwJnO8L=8lE<&J|Ar%a;r|QA?S{FchgW06Vm;^s2_ne9aJv8iC$&%a8p|3?HVJOFj9SI#x5X-=g5j_llV1p2yYpYDiA+ zqb>3DR=zxYw4eEH$@P&V?*?Ntw4UVne|t|8S>8-%BiO$;hM}^jQNL#$`O4MnrtNq8 z(tR*>9J6$NdLp0fj)ip1mCF%=%@h${WbCO0gZdqL+(RxI@B7`|WSx)B-um*)a#YUX zeDR~4JoPsl48t0Y`C|3_gc;aQUY?abG|XJ&rIIQdc!lS-{JmQ7e8b`6`%bJ-ojAvN zvHM{`j~L__s;Vt-yCxqsLLaM#PSx_a%b@aS5W8Z@R^^oRqLSr684Lf-=p9ntT@Q@T zk{C~QCIut|d?DPB#uNA44z`8wO!5LK3bGhrb909zD2TogU`GkSeQGKQ%z|$0MSVB6 zaL$?Yt8@?R^+QJDTTv<9T&;9u6U&(Bzgohad(#RcK;);*}lTFpr|YhO3h9-^$A9XuSO zvNz;HAP;s*bhi7$8QUA0%_V`yR~4+>gJ~5SDZ|L9b^5>S+@qM_)l!@Gaa1PrwS?yO z0Oo2N+cz?fjh)wSzfX%wF)(btRH#?5#>ceuUDBhh1FXHwyUHCpRHD8WeSNq6YW5i# zsw-?Slf}H*Qu}p}Q8rN#BvAzl)^r3i{Ky^Z>p&a;#VmUky8=zk;5RM1?96s34FI;Ts~w z0xCqyUq;@9`2!V74=>|a-M7R0+;TIHA3wg@gON+e=ZjeM5cmHrg|h#ZLV1z^MygPx z3IhX5(ALEYNvd$aQy5Z(BUMOJg~BU1oL|BUbs9{eaR0K7R#{^m@YT^+hN$;p&_N)Ji+u8Rr(E>Gg*_j#z9-)7&cUY!@J(@-3?)rde`i+J&_pZ%Y zZeqdoZ)tMLoT|`eUlNix(Hf%U%nb$Vp^*E2-+yA3 zA(avo$>yh-2v>-oiGshlnJ9iLH@6D(KYc2PWy1wfcs-F3hTdWJ{y_i4Hg;J#$&W?s7vQkB69JbiOCg6j14dM$FXs{Uk zS2O4_ru!=t4;UupDs_ zVt=(9TZ!`=XeWJ${DJT86`+rcBA^dv70@1+xgdasWUv-UT2QmHAkc~kKmiaZAz)zr z3A8%G$5((p^14L91=})5s|Jxb(elfIKAu($=7H`B#Jq4_3v4Wo78)GIdpgjEY2iMg zCH8dKw}k87>4fA!A8}nUA7H^>7d|)V72yxmK;iB%4J{-9^a*ZAuLu`q(acH8a8Wik z5ew29eBo~Y4%F;6_olPaU`7hQ0k*%81qTOHf@Y4_x~?DM>5`;w(D`d?qiav~XGxH>pHWa8knGQc{$iCy|p!JNlplJsBlFH8R|!qpP5!YoaJCBWb?HV6&p8g)x=`l7<-u6I>w_ zd`GO#sH|Emfl)RePZK3a59Mw$=BKM6NVe`^Zg@+QFxXsgg8Q|a~R1tql_dt9nt6--XA*zvtc|5#w=Zl=P< zY29M)U7iZp%g-G5w(5`*oJdVl+_f?JgyqIT0Ye?h&1Pmsawf)-n)(|oG|h~prF4vp z45amR4YjnDED^UXh`;5us7W1)>+PAEj|MMaZuO2$w!a(zVFch?1{%3g=!NwqH;Wef z2y_K*i}dBq%VZ5m0W;-E(3kj6%2?*x-+F>;;n}1ENLkT0S2RT8wFgAZzuFV~|Fibg zq%UDFF%d=9p|W*z_L5M*HTE>XBc@*G=){K*Jx*P7*_FcO2VKt;Z$J+R9Oyj7tIl{+ zRiOH-?<>(mp7zgDE}i4nl$3_L*NRlz?YnbqT%h`6(Xsua)@vWsoq99rdN*@*$@yje z7l!Y|npV2b(V|95=(RgY6$Ty(Dj$ z!J1Lp)ZtmEWgYP!VE`)?10pVU{=4;$m>z|t8>1qpGODs?sa$O#?vH$3$5tVMVXfJ?i%zZ;}gDan~xBRGm+%qr`TOa?dpi2a`BEP%Z`$)hhGsyu;iBjOk#X@Q* z;tDb@y9F6BSf!wyFPW@!0ZSFE)?wH+xSjIw*WlgqAj$lFE=Q2vKhNdJ80nxyz$V<5 zPyj0?1rg{NWP$1cr*Q{ru>#!kL0MH;_U%{*Z_AcW=y84>zmXlcn9(v*n}lUq@bmMY zTSi_Q%d*7hN-~N>pU=ewS$Tz}K2}hKsWp*tykQgQ<0eIL85wt96q^?A3%eajd*=k` z6VpKKKK*1R(!PpiGcL0zjFN2nh+)E+j1g3Q-fs zag79OACeXTwU6YwNT5z4X#r3tNoao#l;?6fNC(7pxRC%wuH!_;fU7J1#*L=aJLyd9 zP*CzWgJ(&V`@t+}x-t?68}2!qzfN`I;J?hNf(zj)g}}|8hA?0W3^-it*sn#_VVCFU zB!@Ux7Wq?cZQ1@%GCz~X5tNh9Htd2F75i%fBvdA-9cuCuL`rWFJ2s` zzv>dlt7my&Gz*iHZuZpd+L`b)^%R~hO@p6*tP`qY7~OMI5OFW1-IKw~uJJoUfW@7H`=B4qy0nuU?1pD}`T&~ac; za6=ju?oq0k{zI5|8L zKlcC+qWztF{7;*E2*^tNxXU=n1t`gRNqIR+`T07#I!nn01lW5y+6V3O-Hn)%&80a4 z*D7U>X8Tyg_r=?V|V8p9+EwbUu=+ zkhzeWd;d+JW37~#kL@1X$g>F(Kuj0{R_@aOP$>lt6`NOYm zj_qB(=Z6BVuEg$S_GX6SgtKAh>wQDX^FR1;e}ALydb<7iE(`q!f``mbUy*3!8QA&g z?4^}l_nzGmLQCm#UiqGfl|x3Hnh>lJvR`)t>xk?(%wWTi{X44Q`^2dPDg+;`fu4hF z5uYQwK{)3~a*kq#a4wAG9Hr{QIT8b97X6ihn*4wb6jMbo&`t)SuP4}rbktYF2KwsG zoPl2H8NeH;?6Sx|Fi<#8`CAGKYMub-@z?(eq{!x zU|B?g<(aQpE`0%bXaBD$;GGGG>5@8_E-`~8xpa`q!3}x4bH$8ZOw#x{AHmrzp36Q< zLG5~W;-Uj#y7co@VW}AtB^Hd0JCI&#ero&6qU1mHYUapT0AhnViQh*0bo@i|bCYfm zH{3{Q5k4Lpg}g3M`6v=vWQ;k3qy_Qn3<)hF=8#~u8*Fkq25^Gg5?F2j6Re87P}^VX z-Cg-7SivewRC>6BMacW#fe(0~1^hQBbAXQyiENPg*dl2GKDH#ZNPGg3v;dz#5?Ula z2}oLiPXY<;&+(}So5ef;G;l-W11H~*t-&LBO_)n`iGqvTvyv4cy~fBy8Y7Sty7tk_H=CTL=fTg4-h9@PQ+mBGa0~uu|dG zG6e%!-!a~QcFsirwVYpATO82{t8dF;qGis3>w=yA1HhhmUq2rwdwbw72fK&XlM=6q1PONpbtR$a9adHZ{h|GXp%|Pq-6#;SX@#OyBun@i*Ry{#OL;NNyQ@R zF2;ikR~d#)6~FE&tGKX3L{1UEGm$`oU-y)kl%L=HA*ndOLxe!Y0@tNw6y)YbJ(mbU^!Lgj1M{@o4}T?koIx%Uy%wqH zPgngWXwDVu^V~Jw@%`((>Wy@_TBtdg2$sv68To`NAT_R}8D#|Rq(kdxS^!fZc zuC(G(A1mRgiGybI;-J}#yD#|GK#&9yn-8#eXcq@fut14FP#{PmXlwKr2Tg*=K#)Yx z*2OOln(+(QB}r-~YJQV|{sBH$UZQrr?AXlvC-@M2C!u7I(Oux~-;5P;0@}Pd0YzX% zoPg3UPCyY@MIq%6uv(OWBCsM(K;suDpg+Ybq7{OCLGlSVQa6Tj_?!p3F>G(k3{ZKT z8>_yAGNHko!QgPAn%~3m2W||XbwZFTL@xNvZ}WWegX@16ChE(!7b_#r%cs&_CF<9@ zJR$BsX&~yqwIrrDzLPrV-(Us#jT?nYe(OeIqF=aC`1GH-(W7k;bP>oNZX_F7m&s-{8DP@2Nmhf$G0WvJ&dSsY0SksZ0OW*z>aaWDb>NxWyoYT;B7j~$E^qL0H0 z(U*s1kL<%(A^R|v$bK!r4%vsXLiBOEV*dLONFezIb_AlIfCG#det-@Rwo9PPLE`6z zKaxXd0B&$Y+76g#qrNhs9GDbw6K%}sf-71)(Y~3Aa@gLwhK1ng76oVgPST~E911r# zfUmyPx+K^rO0*(8Kf6;UTsIj>TkDNYCYi*cy%%UnaI%{uhY|ora3jHqtZW9g zMHNi`)8UG8hAzIr9*pRO6Be5Y`+XvW?uI(eS zAzIr9*pRO6Be97m!6yEXu~A~Bfc67i;D*Eo_a+RW-Wre`Q^<~%nFd>Y{5f|Na9r-r{L1Y~O2vX~yKmb8x9RLVY>p%iQWE}tqQtLnhLA>*Y zfAP+jp8_HNnF=}rK!6((h`Cbk);Z6G(Cft!CLss4HR?uSD*>FJJRktuFtO`uuvsE^ zmQ;`=nz+oHiM%ZF{AbP{q!frZpw62KFe=u$KtJaw>%~DIm@WSCR$S;L7hh0OEdC8W zbF_^fpifMT!PV$sder=bD0l~qEt-E21@!UzouDGZbq^8wt`Y1ZlItRbOJXMOXKA2R zfDGK0K*wpWc#F7+#po2tp`6^lJZJnpI!ie;3h+`S{IOJ-{a=ZcDN;%RDN_4{QH6vKW1GqSC`8iT6>1d%)fD+u0Na3Q4C+yG^ zm_nMsMZe*rO#Wun*1jj#T}e<`TzY}IC$X6aOWBN~+|o89w`37ON^!|O-U{+?B>|rt z&)baJVw+JT=mfFNgf6z3Py+4T!&`GUQ?b})DhRa1HuG(<&3s#+C9#>rLRu&epa8c; zNPuN~+%p3ZcxIpikHjl}l#}Omo}Aw!v7~)~)jj;Nq<#DgQ6aVuwZ-;EtEm;9Jhio6i_Ce9pJ}Us; zK)38&4ab|&i%&(t`&^&9Vv0*0JJ;iidF0?bb8ndRw0FS04;#Fk30MX06-|&Tc(nqG zj2eE!vb%eTUF>vuV0>Ol&z+*sI<<*i~py zxf9OmpA?(k-xocofe})Yb7GKpP)L1B|<|P^~Jv(FYRCseovd$}%cuGE%g`{BL)k)uaDVkeh#b$S3?~|8X-ny1L z?#BD{LTj=*p-`DhJR{NMUSr&8uosOSLYL@aArou2Z_O&^0Og+fs)Ocf1?B+(4m(H76|Dsn%a^JWqb4ZJu3f3Jz?-5jKb;j+be88ok z^Ldql{okW}gRIrO>SqW#0p1V=;dP>YbC2jpvx_PQ?_@l#OEq179JBYmB@J!s>j?AS z?n7k7-VgN-aBTeQ6*Q4xc3isPL$bbY?P-R0Cl9MQr0!Jzz*1{tVY=^uTY%X$3Km_y z^*tV2*Rxv*56*6{%CDJaD)e$V^W+LftlFt;f85d94G-O$xU!yZ{+1K6j@RCLqFX3c z`SXgP9qr{5eqOv?gQ&N0QKghj)tomv^WXTXido;Ni?5ls-fXw$%aNn^P{*QoC+>9k zEE$%kl!yMN)_HbqyHkfq;d&)*sAWBhk8XT$XjvJB-pAqllD<0LDs}-5&eHKyC&CRe zrpwCLZ)=pj>+B%<#p|f$?X{W(6RXy2R5GaoG7$$+1Qb`$;I*05X!u{Y)ND*Pz58Tj z!tk$2oHHx_tLyhiWXeA7O2wM*3(`8|rXc%7!-m!8%hM5~V|Lee7vEYZ{+3+OK3f6f z%C%30MZdN_jmJSi%yfEdeAVH{!pWy&4Ga8)RG*!x5E&l2wZ}QH&!I85TGiQn?hwX2(*}!q1%0Y_5+pbrm`7Ww3=FM?N zo0Xpr8lY=SE_pi&pEExFj7)La9t+uw;7|`mOgo1;OYaNU(ISNaHXfCo(R-N!Gen9| zJnJ7ywN1-0qxUo9JEL_~Ba>M(+sq?bvXU=gZDte5lw|g<1ySKceS*wuF*jqc^ zD3``p&~hZgjpxE$Up1c9_e>4rdC~>0GpU^HW^Y!JdFeAG zbwSf;-XXTS+rr+^)h{)QsQQX?qTn~~? zAN=fiU*PWS`y{m=+IoD|niA)dHw!x3d|>EOlUAPquUIvtQDxZXF)nt&(2mZUdYg%L zzD|JggEh_EBiMm1+hDzpDFbP=z;@1*mc-lU+nFfLFO+#ef}GPOW6AsPj=3bdy?FUK z#XYEJ`DRGut^9+YI>&icf#0x7tSZO!h*Tw%V|D*k*}6^J?>w&UG#`%`SR?+${ki;I zqjjBz?DxKUSv9lfa>JhgHSqlKzF)YJdVc6@`z&-*gGroW-t(W>;>JL+@tHo~(Sj}V zN?rFWrl$mj+k@^4r*-ohd{CFwPEU3|AbW}?k?WdFbv();=%Zj*jHp`F#}%m+o}Nv9 z-pQ;f#*c6H8jSk6sgKf=dA7*ho6vgT^&nPlwEcnY5s8Ub*Z5C6x{j@o=Q`s7!k9U9G zEI}o*hR(cy1AW!e&{PdMJu7ybLQDEQ6!X_j0X3#Z+tW%0QiuI~M{ATX1YHzwB0n{C zT1;SKE>DRBVrT+#5dqt6K{|qK_*jUS4w!kNZ+wF^nLJiQtY#W4v}Aw?94Kl56ghBn z_#X92$fC?1JYlXmd}5#;f;R);h|s?FL@?o!-G$Xu2Jqet8VIcj!I$EvVSfnta1cU4 zd%$<$M#9H3R57Hrzy}5<0DMr8^6}*$;6qDMg<6`x2iYzcX<|k|bS6lEl#vd=$R|1! zYEf`V1$V+;e;JhTL1s)I{ z7?SJPr|8~)J3Abgm%u+Gv24jZoy*v91?}1|pl z;(kbC<&$Lfei|F0^wXwoT+{DP0B4&$eIwS9ZDqBhFqDVcQg!6GQOn`Srq0Kb9)DZD zy+Vm1-*Uf*`+7Ss_>!hxXWmQ$h(gU+Ox6uln+o%GwBQZ zR3%lftIog2!?f{(op&iVA+lzY)~GB@g(LcW+Qj6e)rB4(6520~PX;mHcI1u`-IvMO zZIa1;rZy#$Q)PU4O9o!e^92QX1?-5QTmxFv%rWZCpJb=GN)+ZPQNK6`k6)7o=a z0$0rcXa!ieVIca64(wLMDct*bYdpaxbFmG`6+Q2;pkbR{A2|}a1{BnH7eW{FdU@31 zk4E^~g+s$dhqrQ0OlVqO>dP@)A!{QUc}nlV$1`j7Zn|xj>u+y!OXFgc(Gj!376~%! zSJoOT$a{4rGT>n9%i;F^I<=XM<&h>b4Ew}vzV$Lb{}GpdrG1FW75n_~`{q?|H?ew9 zPe0%vJ*aU~^#KccWh9kR!;PYWt2eoY7}`TOOuYy#j5aI$__lIgph8r8=Tzk0-3i}E zcrs(#UWFNFr75;rls;N*v`Ho9nOLxE=+yvM=CminwPh}$t1cgVk-q+Af61N~W_s82 zE+=|a-=bwz<~r;bUnLkGKdAfiQogOuF4|c=DovrY;Ylf1*jA-yH+_3}zs41wO5)z$ zLk{b6O$?!5`-OrYoQKODb8q({_B4Q&=p1kzC9suJi$E6OdpHP?zmQ@}y}Hn*_h_-? z2fPmeTNUA~{fc30uF!#Ye^VuuvXPx7<^?&XE4I$)wJQc)=zVu=D!M~+>ziY5o_t{1 zF{^mI$m(U9#-0$x!~Bf9+R{56c+`q4T;-mI<%CgV9J91dr{B{lI|Nrg968#oVCH^v z=a#Png^Cv*8TXr#?T{B!^W5ROzC!GDSW~AE#>x2p8$GMYL?Tw_ek$ZAtZrbqJ~ejk z5vTFR%@I@X&oeJ=N>jFBRC5@a?BkK{xphuj#U%5ol*`dIl@<<1Z|mn=s`vEN^ogl! z*V$M~?<~fbJoMzrrANaDY`4cbtbW}hk;SYbw#n)IRKbPV$H$LdIH#_))u6%u_VpmU zlrp~jkvki;YfkSm<_jzDzwjf!)Jqyj{7ybecim9N&Wd|9L6+|X@4F?< zmW+&+JqvqqIYxJQ1bc1uRB-w=n^CL2x`6)1k=NZmErlPJ$s29dbsve~QT}-UYVS76 z*s8>}RZkv28OwLidzO;2g_dWP*oFxupCs)ag_JoGHFDg7DbwZ4d}1C=?^6oH9K7_1 zBGO}uh}B<9wOpl(bth((=i^4&3zJ{Y$%Vh0s=fV$(Uj6E=4yP~6PqIq(XXys^_CoZ z&5?es((ElJO7>Nk@Z&x1HWPYhjOYeGdK&s~`6>|kOqm5bqci;6Flm~`_ug{8oKM(t z1KZGYcb-A}#68Z^rfd1`V~&fY(#J+Xx2-RT-8GMB>AP`mHhP)Y&Of0MXN~Qr8c}bE7TylY643g{2B-4i=I?$v|N zODD@(ELeBG+N62@^ySC{PHk_lxqnu4+$~L&KV8J5!nI=Msh8QUA-$i@=AOn3HWb(J zz4efry<5SI%+>fGrJCo_T=V7+zyh#e5>%^7RvH;Xkck|t9R(AXki|2Utj1GJ#HIM@eCo+%?#tZ{0@4~^^)H5qle-KyXr@o z;@g7OTpE*l8gD(zme45jw60A&hA{ zZUiqqfM2Ww7Wg4)@IO{YnS+*3gQ&1qWWy+2>Q0nRu|gUw8&|cNdOv@pe`<@(R`t+C zwKKUC^sQu2hoNY3nES)mkCSUWby5R3PH|7L($6~(Xi0Yv>-MW6*FjY{nY?%x zb}8UD$>Jfo_qCYfx*E2EKPqzlEodML8h;Cae+z%4g}=FI^0&zKx5)KhTI7Ng!HdB2 z|Gda`P!&!l+ds~G{{I_Au9rYATD0h&7MECWfdtueuE+&13xNYgPnxI3N5Tp6luIV& zKb#=LjJ%{n|13d}*CdhviKTVLeI7e&>KhZ$o zK`LCMvZl|D*#Qc@d(Sn4X)5)t-H;A`nhIB!(6nMdX2BU!cTm9$+<{IT*Uh^q0o;rS z_zWsgYhLH&;uSz#a3)Ne!HBeA+cH)9*%e9kIc+y!RzCC7LTkZX32t~M@C*S~=o8Dq zo^(~xq2WG~HAoIHGZ`Cy^X`7Y1o#jB(XpSh0xH5dhQPELyiyi_B``94ps;f<1z%k9 zYt9xv34{hX=@tV_sHH<^wBj zMmV*`9|&0FGPSvA1KCNv`zeeR7G-||V~ipm#;Oabe-7iY4|6;h<%^>*E1ax9hf#U* z&tL@1Om28sb>aU<80Tem>-61G0HgL5AjDVTRRpQTM|HUxQEn|TaHkQ;HrLdbwEe^Rp zH@7EuX=}tks6((u6Pydd^_Q^5d0DMyyVwX|)M?0K4RRil%+>|6o6Y<=j1)S50%I9i z*n*wvAo@Q5W0{Cqq27IcU6>WQmY-T91zFyo!3da{tfU)6|BGQH{I>ie7^MM>`0djR zP!Yk1e~5qK+<(HU&dX~3v-Ok!MqRJ&JI1}|Pk#A2LuEU53)^$qo0nyL@hW~3h*-#J|2wV?S}!*Zk_?o{(JlboV^IY=t%JT zxCohT`7HEq+sy+oLxvp~2!McVBoPv0+zFX7sgg1Km1<+$vfKJV}phBrMT_-vCruf+YcH7JOm;m^}~MpNe@u zrVmA6X_t?mm$Ro7Znqm@?Hqgu2UJ9EVt2{O+ANp>H9uMiJVTFbBtXGKtY=aYAsKKn zP=JN?$1Y>~q9W&kq9kEp9vJx7KrA^2zY{bEq6AFvUjvW$fzjYbA_eG+5~TclDU=5S zDJYx2PZ&lmNCD&Qx69YZ7bk?p`CQPpHQ$t3xV^??nDxWkph;rP$bIUWbHf-eUjw18I%XEMkS z{2Oj0vZBkNgH#vG3I+`6lb&7yvQlkh0t&DoE8^@IS0SBWGQz3MN6&ZfB*JxVm;eW9 z|E(Ob0}i}Ish}O;{^5p{0dBX4nI(9-TZ8F37KB0!oUAsP!uRX7>0s-h-!E@HdCyk* zQ=af>%dM#h+dObn4*Zz-?WaBG;mSOX3p^4$A|%&jifOtxb+8o|gvbGlzuJEKw=(~? zGXHl=?k~3FF0Rb4x>8~b3DuBnKdp0WTH#)&+49Km>-mna652N-dNa2a@ZJ+uqrc#+ zrPSwt=wM)p=ZYY2@}MgDOQ#;c3MAvWD%I@MQ~9H|Y>3xdpj#y9J=AtmYke#U1s zE#b4S>uJ%>OkWkhjZ+rK9kJO%er@?mvVgOvPkt(BR1Jt0qNe8aPN!qzT?^6l{6K??AJDO4elvR*Z1vF(|d3?jKWGTJM&7a;nkt$yCv$^ z+0{HczmANi6j24#-q2sGa+~aP`>~sLhmR#oaq3u!sA~%C9vfrQiB2ou_V5<-3KW0p zoji_b z&8bl0i7d5QCE1dw!0`S>)#v`>6bDurXn7BJMxe+pt{buQwKKBcBtQNZixF)QPU^Hr z>1gL1vro8X(O4Yyl~-8ISZ35TLAhnbk}G%RZR$r2htN;m6>b|`Z8&itJX=XTF8Gqf z^>OAsx)IEIOc`b4xjiLW_jF7Bnq1VkJ=$0Lg|mucsGnlf2>YgN?XDlAwwBM&Z6DhI zjNap_FO`z<2W%8WT>Xclr*HP(-jM&KRWiJRtwQnYH6O=AuD(NR;;ZD8+vJ|#x@9FS z)6+fnV|kn6%oz8N(eS!@72Ae%zUQ?J<0%T6x0c*~I;Scm3(@CQjnZ}88rPgv{8TJ* zuZidGw@C|`7T4hxy7xg{v97r@J+D`?z@A?Xcz$6}G1fNgb5aS` zl&enupuCVMW$n)W;zLXB?FtHC{uZ output +# @TEST-EXEC: btest-diff output + +@load policy/protocols/dns/auth-addl + +event dns_EDNS_ecs(c: connection, msg: dns_msg, opt: dns_edns_ecs) { + print opt; +} \ No newline at end of file From b17ec6bf93066895a642a11b447bf4e19302b4aa Mon Sep 17 00:00:00 2001 From: ronwellman Date: Mon, 6 Jul 2020 15:34:01 -0400 Subject: [PATCH 2/4] Adjust for zeek namespace. --- src/analyzer/protocol/dns/DNS.cc | 18 +++++++++--------- src/analyzer/protocol/dns/DNS.h | 4 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 2a3f13e1d6..de75652d6e 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -720,7 +720,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, { case TYPE_ECS: { - struct EDNS_ECS opt; + EDNS_ECS opt{}; uint16_t ecs_family = ExtractShort(data, option_len); uint16_t source_scope = ExtractShort(data, option_len); opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff; @@ -730,9 +730,9 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, // IPv6 address, depending on FAMILY, which MUST be truncated to the // number of bits indicated by the SOURCE PREFIX-LENGTH field, // padding with 0 bits to pad to the end of the last octet needed. - if ( ecs_family == L3_IPV4) + if ( ecs_family == L3_IPV4 ) { - opt.ecs_family = make_intrusive("v4"); + opt.ecs_family = zeek::make_intrusive("v4"); uint32_t addr = 0; for (uint16_t shift_factor = 3; option_len > 0; option_len--) { @@ -741,11 +741,11 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, shift_factor--; } addr = htonl(addr); - opt.ecs_addr = make_intrusive(addr); + opt.ecs_addr = zeek::make_intrusive(addr); } else if ( ecs_family == L3_IPV6 ) { - opt.ecs_family = make_intrusive("v6"); + opt.ecs_family = zeek::make_intrusive("v6"); uint32_t addr[4] = { 0 }; for (uint16_t i = 0, shift_factor = 15; option_len > 0; option_len--) { @@ -759,7 +759,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, { addr[i] = htonl(addr[i]); } - opt.ecs_addr = make_intrusive(addr); + opt.ecs_addr = zeek::make_intrusive(addr); } else { @@ -1585,11 +1585,11 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val() zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt) { static auto dns_edns_ecs = zeek::id::find_type("dns_edns_ecs"); - auto r = make_intrusive(dns_edns_ecs); + auto r = zeek::make_intrusive(dns_edns_ecs); r->Assign(0, opt->ecs_family); - r->Assign(1, val_mgr->Count(opt->ecs_src_pfx_len)); - r->Assign(2, val_mgr->Count(opt->ecs_scp_pfx_len)); + r->Assign(1, zeek::val_mgr->Count(opt->ecs_src_pfx_len)); + r->Assign(2, zeek::val_mgr->Count(opt->ecs_scp_pfx_len)); r->Assign(3, opt->ecs_addr); return r; diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 554355d01a..2e795de4ad 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -150,10 +150,10 @@ struct EDNS_ADDITIONAL { // size }; struct EDNS_ECS { - IntrusivePtr ecs_family; ///< EDNS client subnet address family + zeek::StringValPtr ecs_family; ///< EDNS client subnet address family uint16_t ecs_src_pfx_len; ///< EDNS client subnet source prefix length uint16_t ecs_scp_pfx_len; ///< EDNS client subnet scope prefix length - IntrusivePtr ecs_addr; ///< EDNS client subnet address + zeek::IntrusivePtr ecs_addr; ///< EDNS client subnet address }; struct TSIG_DATA { From 19e91292e84cb7e4367e9b2987df9a1c059d0c48 Mon Sep 17 00:00:00 2001 From: ronwellman Date: Fri, 24 Jul 2020 09:26:09 -0400 Subject: [PATCH 3/4] Validate option_len in EDNS packets. --- src/analyzer/protocol/dns/DNS.cc | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index de75652d6e..bd704667f4 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -712,7 +712,11 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, while ( len > 0 ) { uint16_t option_code = ExtractShort(data, len); - int option_len = ExtractShort(data, len); + uint16_t option_len = ExtractShort(data, len); + // check for invalid option length + if ( (option_len > len) || (0 == option_len) ) { + break; + } len -= option_len; // TODO: Implement additional option codes @@ -720,9 +724,14 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, { case TYPE_ECS: { + // must be 4 bytes + variable number of octets for address + if ( option_len <= 4 ) { + break; + } + EDNS_ECS opt{}; - uint16_t ecs_family = ExtractShort(data, option_len); - uint16_t source_scope = ExtractShort(data, option_len); + uint16_t ecs_family = ExtractShort(data, (int&)option_len); + uint16_t source_scope = ExtractShort(data, (int&)option_len); opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff; opt.ecs_scp_pfx_len = source_scope & 0xff; From 7f130e9e1679b3c1b7b66a109f278253723fb3fe Mon Sep 17 00:00:00 2001 From: ronwellman Date: Fri, 24 Jul 2020 10:21:42 -0400 Subject: [PATCH 4/4] Avoid typecast to int& in EDNS parsing. --- src/analyzer/protocol/dns/DNS.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index bd704667f4..7e2f49ab0b 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -712,7 +712,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, while ( len > 0 ) { uint16_t option_code = ExtractShort(data, len); - uint16_t option_len = ExtractShort(data, len); + int option_len = ExtractShort(data, len); // check for invalid option length if ( (option_len > len) || (0 == option_len) ) { break; @@ -730,8 +730,8 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, } EDNS_ECS opt{}; - uint16_t ecs_family = ExtractShort(data, (int&)option_len); - uint16_t source_scope = ExtractShort(data, (int&)option_len); + uint16_t ecs_family = ExtractShort(data, option_len); + uint16_t source_scope = ExtractShort(data, option_len); opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff; opt.ecs_scp_pfx_len = source_scope & 0xff;