mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Switch types used in DNS analyzer to be more consistent
This commit is contained in:
Tim Wojtulewicz
parent
c6cf1ee3ae
commit
501160c976
2 changed files with 184 additions and 196 deletions
|
|
@ -72,8 +72,8 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
|
||||||
// opcode is always in the same location. Parse out just that part of it here
|
// opcode is always in the same location. Parse out just that part of it here
|
||||||
// even though it will probably be reparsed later.
|
// even though it will probably be reparsed later.
|
||||||
auto* hdr = (detail::DNS_RawMsgHdr*)data;
|
auto* hdr = (detail::DNS_RawMsgHdr*)data;
|
||||||
unsigned short flags = ntohs(hdr->flags);
|
auto flags = ntohs(hdr->flags);
|
||||||
int opcode = (flags & 0x7800) >> 11;
|
auto opcode = static_cast<uint16_t>((flags & 0x7800) >> 11);
|
||||||
|
|
||||||
// NetBIOS registration and release messages look like regular DNS requests, so parse them as such
|
// NetBIOS registration and release messages look like regular DNS requests, so parse them as such
|
||||||
if ( opcode != DNS_OP_QUERY && ! is_netbios ) {
|
if ( opcode != DNS_OP_QUERY && ! is_netbios ) {
|
||||||
|
|
@ -85,7 +85,8 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
|
||||||
detail::DNS_MsgInfo msg(hdr, is_query);
|
detail::DNS_MsgInfo msg(hdr, is_query);
|
||||||
|
|
||||||
if ( first_message && msg.QR && is_query == 1 ) {
|
if ( first_message && msg.QR && is_query == 1 ) {
|
||||||
is_query = msg.is_query = 0;
|
is_query = 0;
|
||||||
|
msg.is_query = false;
|
||||||
|
|
||||||
if ( ! analyzer->Conn()->RespAddr().IsMulticast() )
|
if ( ! analyzer->Conn()->RespAddr().IsMulticast() )
|
||||||
analyzer->Conn()->FlipRoles();
|
analyzer->Conn()->FlipRoles();
|
||||||
|
|
@ -123,8 +124,8 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
|
||||||
|
|
||||||
analyzer->AnalyzerConfirmation();
|
analyzer->AnalyzerConfirmation();
|
||||||
|
|
||||||
int skip_auth = zeek::detail::dns_skip_all_auth;
|
bool skip_auth = (zeek::detail::dns_skip_all_auth != 0);
|
||||||
int skip_addl = zeek::detail::dns_skip_all_addl;
|
bool skip_addl = (zeek::detail::dns_skip_all_addl != 0);
|
||||||
if ( msg.ancount > 0 ) { // We did an answer, so can potentially skip auth/addl.
|
if ( msg.ancount > 0 ) { // We did an answer, so can potentially skip auth/addl.
|
||||||
static auto dns_skip_auth = id::find_val<TableVal>("dns_skip_auth");
|
static auto dns_skip_auth = id::find_val<TableVal>("dns_skip_auth");
|
||||||
static auto dns_skip_addl = id::find_val<TableVal>("dns_skip_addl");
|
static auto dns_skip_addl = id::find_val<TableVal>("dns_skip_addl");
|
||||||
|
|
@ -248,11 +249,11 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
// re-interpreted by other, more adventurous RR types.
|
// re-interpreted by other, more adventurous RR types.
|
||||||
|
|
||||||
msg->query_name = make_intrusive<StringVal>(new String(name, name_end - name, true));
|
msg->query_name = make_intrusive<StringVal>(new String(name, name_end - name, true));
|
||||||
msg->atype = detail::RR_Type(ExtractShort(data, len));
|
msg->atype = static_cast<detail::RR_Type>(ExtractShort(data, len));
|
||||||
msg->aclass = ExtractShort(data, len);
|
msg->aclass = ExtractShort(data, len);
|
||||||
msg->ttl = ExtractLong(data, len);
|
msg->ttl = ExtractLong(data, len);
|
||||||
|
|
||||||
int rdlength = ExtractShort(data, len);
|
auto rdlength = ExtractShort(data, len);
|
||||||
if ( rdlength > len ) {
|
if ( rdlength > len ) {
|
||||||
analyzer->Weird("DNS_truncated_RR_rdlength_lt_len");
|
analyzer->Weird("DNS_truncated_RR_rdlength_lt_len");
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -381,7 +382,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
const u_char* orig_data = data;
|
const u_char* orig_data = data;
|
||||||
int label_len = data[0];
|
auto label_len = data[0];
|
||||||
|
|
||||||
++data;
|
++data;
|
||||||
--len;
|
--len;
|
||||||
|
|
@ -394,7 +395,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if ( (label_len & 0xc0) == 0xc0 ) {
|
if ( (label_len & 0xc0) == 0xc0 ) {
|
||||||
unsigned short offset = (label_len & ~0xc0) << 8;
|
auto offset = (label_len & ~0xc0) << 8;
|
||||||
|
|
||||||
offset |= *data;
|
offset |= *data;
|
||||||
|
|
||||||
|
|
@ -562,11 +563,11 @@ bool DNS_Interpreter::ParseRR_SOA(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
if ( len < 20 )
|
if ( len < 20 )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
uint32_t serial = ExtractLong(data, len);
|
auto serial = ExtractLong(data, len);
|
||||||
uint32_t refresh = ExtractLong(data, len);
|
auto refresh = ExtractLong(data, len);
|
||||||
uint32_t retry = ExtractLong(data, len);
|
auto retry = ExtractLong(data, len);
|
||||||
uint32_t expire = ExtractLong(data, len);
|
auto expire = ExtractLong(data, len);
|
||||||
uint32_t minimum = ExtractLong(data, len);
|
auto minimum = ExtractLong(data, len);
|
||||||
|
|
||||||
if ( data - data_start != rdlength )
|
if ( data - data_start != rdlength )
|
||||||
analyzer->Weird("DNS_RR_length_mismatch");
|
analyzer->Weird("DNS_RR_length_mismatch");
|
||||||
|
|
@ -593,7 +594,7 @@ bool DNS_Interpreter::ParseRR_MX(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
const u_char* msg_start) {
|
const u_char* msg_start) {
|
||||||
const u_char* data_start = data;
|
const u_char* data_start = data;
|
||||||
|
|
||||||
int preference = ExtractShort(data, len);
|
auto preference = ExtractShort(data, len);
|
||||||
|
|
||||||
u_char name[513];
|
u_char name[513];
|
||||||
int name_len = sizeof(name) - 1;
|
int name_len = sizeof(name) - 1;
|
||||||
|
|
@ -624,9 +625,9 @@ bool DNS_Interpreter::ParseRR_SRV(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
const u_char* msg_start) {
|
const u_char* msg_start) {
|
||||||
const u_char* data_start = data;
|
const u_char* data_start = data;
|
||||||
|
|
||||||
unsigned int priority = ExtractShort(data, len);
|
auto priority = ExtractShort(data, len);
|
||||||
unsigned int weight = ExtractShort(data, len);
|
auto weight = ExtractShort(data, len);
|
||||||
unsigned int port = ExtractShort(data, len);
|
auto port = ExtractShort(data, len);
|
||||||
|
|
||||||
u_char name[513];
|
u_char name[513];
|
||||||
int name_len = sizeof(name) - 1;
|
int name_len = sizeof(name) - 1;
|
||||||
|
|
@ -648,8 +649,8 @@ bool DNS_Interpreter::ParseRR_SRV(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
|
|
||||||
bool DNS_Interpreter::ParseRR_NAPTR(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
|
bool DNS_Interpreter::ParseRR_NAPTR(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
|
||||||
const u_char* msg_start) {
|
const u_char* msg_start) {
|
||||||
zeek_uint_t order = ExtractShort(data, len);
|
auto order = ExtractShort(data, len);
|
||||||
zeek_uint_t preference = ExtractShort(data, len);
|
auto preference = ExtractShort(data, len);
|
||||||
rdlength -= 4;
|
rdlength -= 4;
|
||||||
|
|
||||||
if ( len <= 0 || rdlength <= 0 ) {
|
if ( len <= 0 || rdlength <= 0 ) {
|
||||||
|
|
@ -698,7 +699,7 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, const u_char*& data
|
||||||
// parse EDNS options. length has to be at least 4 to parse out the option
|
// parse EDNS options. length has to be at least 4 to parse out the option
|
||||||
// code and length.
|
// code and length.
|
||||||
while ( len >= 4 ) {
|
while ( len >= 4 ) {
|
||||||
uint16_t option_code = ExtractShort(data, len);
|
auto option_code = ExtractShort(data, len);
|
||||||
int option_len = ExtractShort(data, len);
|
int option_len = ExtractShort(data, len);
|
||||||
// check for invalid option length
|
// check for invalid option length
|
||||||
if ( (option_len > len) ) {
|
if ( (option_len > len) ) {
|
||||||
|
|
@ -717,8 +718,8 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, const u_char*& data
|
||||||
}
|
}
|
||||||
|
|
||||||
detail::EDNS_ECS opt{};
|
detail::EDNS_ECS opt{};
|
||||||
uint16_t ecs_family = ExtractShort(data, option_len);
|
auto ecs_family = ExtractShort(data, option_len);
|
||||||
uint16_t source_scope = ExtractShort(data, option_len);
|
auto source_scope = ExtractShort(data, option_len);
|
||||||
opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff;
|
opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff;
|
||||||
opt.ecs_scp_pfx_len = source_scope & 0xff;
|
opt.ecs_scp_pfx_len = source_scope & 0xff;
|
||||||
|
|
||||||
|
|
@ -877,7 +878,7 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, const u_char*& data
|
||||||
}
|
}
|
||||||
|
|
||||||
void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len, String** p) {
|
void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len, String** p) {
|
||||||
uint16_t dlen = ExtractShort(data, len);
|
auto dlen = ExtractShort(data, len);
|
||||||
dlen = std::min(len, static_cast<int>(dlen));
|
dlen = std::min(len, static_cast<int>(dlen));
|
||||||
|
|
||||||
if ( p )
|
if ( p )
|
||||||
|
|
@ -908,13 +909,13 @@ bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg, const u_char*& data
|
||||||
if ( ! alg_name_end )
|
if ( ! alg_name_end )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
uint32_t sign_time_sec = ExtractLong(data, len);
|
auto sign_time_sec = ExtractLong(data, len);
|
||||||
unsigned int sign_time_msec = ExtractShort(data, len);
|
auto sign_time_msec = ExtractShort(data, len);
|
||||||
unsigned int fudge = ExtractShort(data, len);
|
auto fudge = ExtractShort(data, len);
|
||||||
String* request_MAC;
|
String* request_MAC;
|
||||||
ExtractOctets(data, len, dns_TSIG_addl ? &request_MAC : nullptr);
|
ExtractOctets(data, len, dns_TSIG_addl ? &request_MAC : nullptr);
|
||||||
unsigned int orig_id = ExtractShort(data, len);
|
auto orig_id = ExtractShort(data, len);
|
||||||
unsigned int rr_error = ExtractShort(data, len);
|
auto rr_error = ExtractShort(data, len);
|
||||||
ExtractOctets(data, len, nullptr); // Other Data
|
ExtractOctets(data, len, nullptr); // Other Data
|
||||||
|
|
||||||
if ( dns_TSIG_addl ) {
|
if ( dns_TSIG_addl ) {
|
||||||
|
|
@ -953,10 +954,10 @@ bool DNS_Interpreter::ParseRR_TKEY(detail::DNS_MsgInfo* msg, const u_char*& data
|
||||||
if ( ! alg_name_end )
|
if ( ! alg_name_end )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
uint32_t inception = ExtractLong(data, len);
|
auto inception = ExtractLong(data, len);
|
||||||
uint32_t expiration = ExtractLong(data, len);
|
auto expiration = ExtractLong(data, len);
|
||||||
uint16_t mode = ExtractShort(data, len);
|
auto mode = ExtractShort(data, len);
|
||||||
uint16_t error = ExtractShort(data, len);
|
auto error = ExtractShort(data, len);
|
||||||
String* key_data;
|
String* key_data;
|
||||||
ExtractOctets(data, len, dns_TKEY ? &key_data : nullptr);
|
ExtractOctets(data, len, dns_TKEY ? &key_data : nullptr);
|
||||||
ExtractOctets(data, len, nullptr); // Other data
|
ExtractOctets(data, len, nullptr); // Other data
|
||||||
|
|
@ -986,28 +987,28 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, const u_char*& dat
|
||||||
if ( len < 18 )
|
if ( len < 18 )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
unsigned int type_covered = ExtractShort(data, len);
|
auto type_covered = ExtractShort(data, len);
|
||||||
// split the two bytes for algo and labels extraction
|
// split the two bytes for algo and labels extraction
|
||||||
uint32_t algo_lab = ExtractShort(data, len);
|
auto algo_lab = ExtractShort(data, len);
|
||||||
unsigned int algo = (algo_lab >> 8) & 0xff;
|
auto algo = (algo_lab >> 8) & 0xff;
|
||||||
unsigned int lab = algo_lab & 0xff;
|
auto lab = algo_lab & 0xff;
|
||||||
|
|
||||||
uint32_t orig_ttl = ExtractLong(data, len);
|
auto orig_ttl = ExtractLong(data, len);
|
||||||
uint32_t sign_exp = ExtractLong(data, len);
|
auto sign_exp = ExtractLong(data, len);
|
||||||
uint32_t sign_incp = ExtractLong(data, len);
|
auto sign_incp = ExtractLong(data, len);
|
||||||
unsigned int key_tag = ExtractShort(data, len);
|
auto key_tag = ExtractShort(data, len);
|
||||||
|
|
||||||
// implement signer's name with the msg_start offset
|
// implement signer's name with the msg_start offset
|
||||||
const u_char* data_start = data;
|
const u_char* data_start = data;
|
||||||
u_char name[513];
|
u_char name[513];
|
||||||
int name_len = sizeof(name) - 1;
|
size_t name_len = sizeof(name) - 1;
|
||||||
|
|
||||||
u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
|
u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
|
||||||
if ( ! name_end )
|
if ( ! name_end )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
int sig_len = rdlength - ((data - data_start) + 18);
|
int sig_len = rdlength - ((data - data_start) + 18);
|
||||||
detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(algo);
|
auto dsa = static_cast<detail::DNSSEC_Algo>(algo);
|
||||||
String* sign = ExtractStream(data, len, sig_len);
|
String* sign = ExtractStream(data, len, sig_len);
|
||||||
|
|
||||||
switch ( dsa ) {
|
switch ( dsa ) {
|
||||||
|
|
@ -1064,9 +1065,9 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, const u_char*& da
|
||||||
auto dflags = ExtractShort(data, len);
|
auto dflags = ExtractShort(data, len);
|
||||||
// split the two bytes for protocol and algorithm extraction
|
// split the two bytes for protocol and algorithm extraction
|
||||||
auto proto_algo = ExtractShort(data, len);
|
auto proto_algo = ExtractShort(data, len);
|
||||||
unsigned int dprotocol = (proto_algo >> 8) & 0xff;
|
auto dprotocol = (proto_algo >> 8) & 0xff;
|
||||||
unsigned int dalgorithm = proto_algo & 0xff;
|
auto dalgorithm = proto_algo & 0xff;
|
||||||
detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(dalgorithm);
|
auto dsa = static_cast<detail::DNSSEC_Algo>(dalgorithm);
|
||||||
// Evaluating the size of remaining bytes for Public Key
|
// Evaluating the size of remaining bytes for Public Key
|
||||||
String* key = ExtractStream(data, len, rdlength - 4);
|
String* key = ExtractStream(data, len, rdlength - 4);
|
||||||
|
|
||||||
|
|
@ -1147,9 +1148,9 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg, const u_char*& data
|
||||||
auto char_strings = make_intrusive<VectorVal>(id::string_vec);
|
auto char_strings = make_intrusive<VectorVal>(id::string_vec);
|
||||||
|
|
||||||
while ( typebitmaps_len > 0 && len > 0 ) {
|
while ( typebitmaps_len > 0 && len > 0 ) {
|
||||||
uint32_t block_bmlen = ExtractShort(data, len);
|
auto block_bmlen = ExtractShort(data, len);
|
||||||
unsigned int win_blck = (block_bmlen >> 8) & 0xff;
|
auto win_blck = (block_bmlen >> 8) & 0xff;
|
||||||
unsigned int bmlen = block_bmlen & 0xff;
|
auto bmlen = block_bmlen & 0xff;
|
||||||
|
|
||||||
if ( bmlen == 0 ) {
|
if ( bmlen == 0 ) {
|
||||||
analyzer->Weird("DNSSEC_NSEC_bitmapLen0", util::fmt("%d", win_blck));
|
analyzer->Weird("DNSSEC_NSEC_bitmapLen0", util::fmt("%d", win_blck));
|
||||||
|
|
@ -1181,10 +1182,10 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg, const u_char*& dat
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
const u_char* data_start = data;
|
const u_char* data_start = data;
|
||||||
uint32_t halgo_flags = ExtractShort(data, len);
|
auto halgo_flags = ExtractShort(data, len);
|
||||||
unsigned int hash_algo = (halgo_flags >> 8) & 0xff;
|
auto hash_algo = (halgo_flags >> 8) & 0xff;
|
||||||
unsigned int nsec_flags = halgo_flags & 0xff;
|
auto nsec_flags = halgo_flags & 0xff;
|
||||||
unsigned int iter = ExtractShort(data, len);
|
auto iter = ExtractShort(data, len);
|
||||||
|
|
||||||
uint8_t salt_len = 0;
|
uint8_t salt_len = 0;
|
||||||
|
|
||||||
|
|
@ -1211,9 +1212,9 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg, const u_char*& dat
|
||||||
auto char_strings = make_intrusive<VectorVal>(id::string_vec);
|
auto char_strings = make_intrusive<VectorVal>(id::string_vec);
|
||||||
|
|
||||||
while ( typebitmaps_len > 0 && len > 0 ) {
|
while ( typebitmaps_len > 0 && len > 0 ) {
|
||||||
uint32_t block_bmlen = ExtractShort(data, len);
|
auto block_bmlen = ExtractShort(data, len);
|
||||||
unsigned int win_blck = (block_bmlen >> 8) & 0xff;
|
auto win_blck = (block_bmlen >> 8) & 0xff;
|
||||||
unsigned int bmlen = block_bmlen & 0xff;
|
auto bmlen = block_bmlen & 0xff;
|
||||||
|
|
||||||
if ( bmlen == 0 ) {
|
if ( bmlen == 0 ) {
|
||||||
analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", util::fmt("%d", win_blck));
|
analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", util::fmt("%d", win_blck));
|
||||||
|
|
@ -1254,10 +1255,10 @@ bool DNS_Interpreter::ParseRR_NSEC3PARAM(detail::DNS_MsgInfo* msg, const u_char*
|
||||||
if ( len < 5 )
|
if ( len < 5 )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
uint32_t halgo_flags = ExtractShort(data, len);
|
auto halgo_flags = ExtractShort(data, len);
|
||||||
unsigned int hash_algo = (halgo_flags >> 8) & 0xff;
|
auto hash_algo = (halgo_flags >> 8) & 0xff;
|
||||||
unsigned int nsec_flags = halgo_flags & 0xff;
|
auto nsec_flags = halgo_flags & 0xff;
|
||||||
unsigned int iter = ExtractShort(data, len);
|
auto iter = ExtractShort(data, len);
|
||||||
|
|
||||||
uint8_t salt_len = 0;
|
uint8_t salt_len = 0;
|
||||||
|
|
||||||
|
|
@ -1295,12 +1296,12 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
if ( len < 4 )
|
if ( len < 4 )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
unsigned int ds_key_tag = ExtractShort(data, len);
|
auto ds_key_tag = ExtractShort(data, len);
|
||||||
// split the two bytes for algorithm and digest type extraction
|
// split the two bytes for algorithm and digest type extraction
|
||||||
uint32_t ds_algo_dtype = ExtractShort(data, len);
|
auto ds_algo_dtype = ExtractShort(data, len);
|
||||||
unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff;
|
auto ds_algo = (ds_algo_dtype >> 8) & 0xff;
|
||||||
unsigned int ds_dtype = ds_algo_dtype & 0xff;
|
auto ds_dtype = ds_algo_dtype & 0xff;
|
||||||
detail::DNSSEC_Digest ds_digest_type = detail::DNSSEC_Digest(ds_dtype);
|
auto ds_digest_type = static_cast<detail::DNSSEC_Digest>(ds_dtype);
|
||||||
String* ds_digest = ExtractStream(data, len, rdlength - 4);
|
String* ds_digest = ExtractStream(data, len, rdlength - 4);
|
||||||
|
|
||||||
switch ( ds_digest_type ) {
|
switch ( ds_digest_type ) {
|
||||||
|
|
@ -1337,14 +1338,14 @@ bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg, const u_char*& dat
|
||||||
if ( len < 5 )
|
if ( len < 5 )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
uint32_t algo_keyid_rflag = ExtractLong(data, len);
|
auto algo_keyid_rflag = ExtractLong(data, len);
|
||||||
|
|
||||||
unsigned int algo = (algo_keyid_rflag >> 24) & 0xff;
|
auto algo = (algo_keyid_rflag >> 24) & 0xff;
|
||||||
unsigned int keyid1 = (algo_keyid_rflag >> 16) & 0xff;
|
auto keyid1 = (algo_keyid_rflag >> 16) & 0xff;
|
||||||
unsigned int keyid2 = (algo_keyid_rflag >> 8) & 0xff;
|
auto keyid2 = (algo_keyid_rflag >> 8) & 0xff;
|
||||||
unsigned int rmflag = algo_keyid_rflag & 0xff;
|
auto rmflag = algo_keyid_rflag & 0xff;
|
||||||
|
|
||||||
unsigned int keyid = (keyid1 << 8) | keyid2;
|
auto keyid = (keyid1 << 8) | keyid2;
|
||||||
|
|
||||||
uint8_t completeflag = ExtractByte(data, len);
|
uint8_t completeflag = ExtractByte(data, len);
|
||||||
|
|
||||||
|
|
@ -1373,9 +1374,9 @@ bool DNS_Interpreter::ParseRR_SSHFP(detail::DNS_MsgInfo* msg, const u_char*& dat
|
||||||
if ( len < 2 )
|
if ( len < 2 )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
uint32_t algo_fptype = ExtractShort(data, len);
|
auto algo_fptype = ExtractShort(data, len);
|
||||||
unsigned int algo = (algo_fptype >> 8) & 0xff;
|
auto algo = (algo_fptype >> 8) & 0xff;
|
||||||
unsigned int fptype = algo_fptype & 0xff;
|
auto fptype = algo_fptype & 0xff;
|
||||||
|
|
||||||
String* fingerprint = ExtractStream(data, len, rdlength - 2);
|
String* fingerprint = ExtractStream(data, len, rdlength - 2);
|
||||||
|
|
||||||
|
|
@ -1400,18 +1401,18 @@ bool DNS_Interpreter::ParseRR_LOC(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
// split the two bytes for version and size extraction
|
// split the two bytes for version and size extraction
|
||||||
uint32_t ver_size = ExtractShort(data, len);
|
auto ver_size = ExtractShort(data, len);
|
||||||
unsigned int version = (ver_size >> 8) & 0xff;
|
auto version = (ver_size >> 8) & 0xff;
|
||||||
unsigned int size = ver_size & 0xff;
|
auto size = ver_size & 0xff;
|
||||||
|
|
||||||
// split the two bytes for horizontal and vertical precision extraction
|
// split the two bytes for horizontal and vertical precision extraction
|
||||||
uint32_t horiz_vert = ExtractShort(data, len);
|
auto horiz_vert = ExtractShort(data, len);
|
||||||
unsigned int horiz_pre = (horiz_vert >> 8) & 0xff;
|
auto horiz_pre = (horiz_vert >> 8) & 0xff;
|
||||||
unsigned int vert_pre = horiz_vert & 0xff;
|
auto vert_pre = horiz_vert & 0xff;
|
||||||
|
|
||||||
uint32_t latitude = ExtractLong(data, len);
|
auto latitude = ExtractLong(data, len);
|
||||||
uint32_t longitude = ExtractLong(data, len);
|
auto longitude = ExtractLong(data, len);
|
||||||
uint32_t altitude = ExtractLong(data, len);
|
auto altitude = ExtractLong(data, len);
|
||||||
|
|
||||||
if ( version != 0 ) {
|
if ( version != 0 ) {
|
||||||
analyzer->Weird("DNS_LOC_version_unrecognized", util::fmt("%d", version));
|
analyzer->Weird("DNS_LOC_version_unrecognized", util::fmt("%d", version));
|
||||||
|
|
@ -1440,7 +1441,7 @@ bool DNS_Interpreter::ParseRR_A(detail::DNS_MsgInfo* msg, const u_char*& data, i
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
uint32_t addr = ExtractLong(data, len);
|
auto addr = ExtractLong(data, len);
|
||||||
|
|
||||||
if ( dns_A_reply && ! msg->skip_event )
|
if ( dns_A_reply && ! msg->skip_event )
|
||||||
analyzer->EnqueueConnEvent(dns_A_reply, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(),
|
analyzer->EnqueueConnEvent(dns_A_reply, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(),
|
||||||
|
|
@ -1559,11 +1560,11 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
unsigned int flags = ExtractShort(data, len);
|
auto flags = ExtractShort(data, len);
|
||||||
unsigned int tagLen = flags & 0xff;
|
auto tagLen = flags & 0xff;
|
||||||
flags = flags >> 8;
|
flags >>= 8;
|
||||||
rdlength -= 2;
|
rdlength -= 2;
|
||||||
if ( (int)tagLen >= rdlength ) {
|
if ( static_cast<int>(tagLen) >= rdlength ) {
|
||||||
analyzer->Weird("DNS_CAA_char_str_past_rdlen");
|
analyzer->Weird("DNS_CAA_char_str_past_rdlen");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -1598,8 +1599,8 @@ VectorValPtr DNS_Interpreter::Parse_SvcParams(const u_char*& data, int& len, int
|
||||||
static auto dns_svcb_param = id::find_type<RecordType>("dns_svcb_param");
|
static auto dns_svcb_param = id::find_type<RecordType>("dns_svcb_param");
|
||||||
auto svc_param = make_intrusive<RecordVal>(dns_svcb_param);
|
auto svc_param = make_intrusive<RecordVal>(dns_svcb_param);
|
||||||
|
|
||||||
const uint16_t key = ExtractShort(data, len);
|
auto key = ExtractShort(data, len);
|
||||||
uint16_t value_len = ExtractShort(data, len);
|
auto value_len = ExtractShort(data, len);
|
||||||
int item_len_parsed = 0;
|
int item_len_parsed = 0;
|
||||||
svc_params_len -= 4;
|
svc_params_len -= 4;
|
||||||
|
|
||||||
|
|
@ -1635,7 +1636,7 @@ VectorValPtr DNS_Interpreter::Parse_SvcParams(const u_char*& data, int& len, int
|
||||||
auto alpn = make_intrusive<VectorVal>(id::string_vec);
|
auto alpn = make_intrusive<VectorVal>(id::string_vec);
|
||||||
|
|
||||||
while ( item_len_parsed + 2 < value_len ) {
|
while ( item_len_parsed + 2 < value_len ) {
|
||||||
const uint8_t alpn_len = ExtractByte(data, len);
|
auto alpn_len = ExtractByte(data, len);
|
||||||
item_len_parsed += 1;
|
item_len_parsed += 1;
|
||||||
|
|
||||||
if ( alpn_len == 0 || alpn_len > 255 || alpn_len + item_len_parsed > value_len ) {
|
if ( alpn_len == 0 || alpn_len > 255 || alpn_len + item_len_parsed > value_len ) {
|
||||||
|
|
@ -1743,7 +1744,7 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
const uint16_t svc_priority = ExtractShort(data, len);
|
auto svc_priority = ExtractShort(data, len);
|
||||||
|
|
||||||
u_char target_name[513];
|
u_char target_name[513];
|
||||||
int name_len = sizeof(target_name) - 1;
|
int name_len = sizeof(target_name) - 1;
|
||||||
|
|
@ -1781,8 +1782,8 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
|
||||||
|
|
||||||
void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event, const u_char*& data,
|
void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event, const u_char*& data,
|
||||||
int& len, String* question_name, String* original_name) {
|
int& len, String* question_name, String* original_name) {
|
||||||
detail::RR_Type qtype = detail::RR_Type(ExtractShort(data, len));
|
auto qtype = static_cast<detail::RR_Type>(ExtractShort(data, len));
|
||||||
int qclass = ExtractShort(data, len);
|
auto qclass = ExtractShort(data, len);
|
||||||
|
|
||||||
assert(event);
|
assert(event);
|
||||||
|
|
||||||
|
|
@ -1790,10 +1791,9 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHand
|
||||||
val_mgr->Count(qtype), val_mgr->Count(qclass), make_intrusive<StringVal>(original_name));
|
val_mgr->Count(qtype), val_mgr->Count(qclass), make_intrusive<StringVal>(original_name));
|
||||||
}
|
}
|
||||||
|
|
||||||
DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) {
|
DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_is_query) {
|
||||||
// ### Need to fix alignment if hdr is misaligned (not on a short
|
// ### Need to fix alignment if hdr is misaligned (not on a short boundary).
|
||||||
// boundary).
|
uint16_t flags = ntohs(hdr->flags);
|
||||||
unsigned short flags = ntohs(hdr->flags);
|
|
||||||
|
|
||||||
QR = (flags & 0x8000) != 0;
|
QR = (flags & 0x8000) != 0;
|
||||||
opcode = (flags & 0x7800) >> 11;
|
opcode = (flags & 0x7800) >> 11;
|
||||||
|
|
@ -1812,14 +1812,6 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) {
|
||||||
arcount = ntohs(hdr->arcount);
|
arcount = ntohs(hdr->arcount);
|
||||||
|
|
||||||
id = ntohs(hdr->id);
|
id = ntohs(hdr->id);
|
||||||
is_query = arg_is_query;
|
|
||||||
|
|
||||||
atype = detail::TYPE_ALL;
|
|
||||||
aclass = 0;
|
|
||||||
ttl = 0;
|
|
||||||
|
|
||||||
answer_type = DNS_QUESTION;
|
|
||||||
skip_event = 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
RecordValPtr DNS_MsgInfo::BuildHdrVal() {
|
RecordValPtr DNS_MsgInfo::BuildHdrVal() {
|
||||||
|
|
@ -1877,12 +1869,12 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val() {
|
||||||
// initial: [------------- ttl (32) ---------------------]
|
// initial: [------------- ttl (32) ---------------------]
|
||||||
// after: [ ext rcode (8)][ver # (8)][ Z field (16) ]
|
// after: [ ext rcode (8)][ver # (8)][ Z field (16) ]
|
||||||
|
|
||||||
unsigned int ercode = (ttl >> 24) & 0xff;
|
uint32_t ercode = (ttl >> 24) & 0xff;
|
||||||
unsigned int version = (ttl >> 16) & 0xff;
|
uint32_t version = (ttl >> 16) & 0xff;
|
||||||
// unsigned int DO = ttl & 0x8000; // "DNSSEC OK" - RFC 3225
|
// uint32_t DO = ttl & 0x8000; // "DNSSEC OK" - RFC 3225
|
||||||
unsigned int z = ttl & 0xffff;
|
uint32_t z = ttl & 0xffff;
|
||||||
|
|
||||||
unsigned int return_error = (ercode << 4) | rcode;
|
uint32_t return_error = (ercode << 4) | rcode;
|
||||||
|
|
||||||
r->Assign(4, return_error);
|
r->Assign(4, return_error);
|
||||||
r->Assign(5, version);
|
r->Assign(5, version);
|
||||||
|
|
|
||||||
|
|
@ -160,22 +160,22 @@ enum SVCPARAM_Key : uint8_t {
|
||||||
};
|
};
|
||||||
|
|
||||||
struct DNS_RawMsgHdr {
|
struct DNS_RawMsgHdr {
|
||||||
unsigned short id;
|
uint16_t id;
|
||||||
unsigned short flags;
|
uint16_t flags;
|
||||||
unsigned short qdcount;
|
uint16_t qdcount;
|
||||||
unsigned short ancount;
|
uint16_t ancount;
|
||||||
unsigned short nscount;
|
uint16_t nscount;
|
||||||
unsigned short arcount;
|
uint16_t arcount;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct EDNS_ADDITIONAL { // size
|
struct EDNS_ADDITIONAL { // size
|
||||||
unsigned short name; // -
|
uint16_t name; // -
|
||||||
unsigned short type; // 16 : ExtractShort(data, len)
|
uint16_t type; // 16 : ExtractShort(data, len)
|
||||||
unsigned short payload_size; // 16
|
uint16_t payload_size; // 16
|
||||||
unsigned short extended_rcode; // 8
|
uint8_t extended_rcode; // 8
|
||||||
unsigned short version; // 8
|
uint8_t version; // 8
|
||||||
unsigned short z; // 16
|
uint16_t z; // 16
|
||||||
unsigned short rdata_len; // 16
|
uint16_t rdata_len; // 16
|
||||||
};
|
};
|
||||||
|
|
||||||
struct EDNS_ECS {
|
struct EDNS_ECS {
|
||||||
|
|
@ -197,83 +197,83 @@ struct EDNS_COOKIE {
|
||||||
|
|
||||||
struct TKEY_DATA {
|
struct TKEY_DATA {
|
||||||
String* alg_name;
|
String* alg_name;
|
||||||
unsigned long inception;
|
uint32_t inception;
|
||||||
unsigned long expiration;
|
uint32_t expiration;
|
||||||
unsigned short mode;
|
uint16_t mode;
|
||||||
unsigned short error;
|
uint16_t error;
|
||||||
String* key;
|
String* key;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct TSIG_DATA {
|
struct TSIG_DATA {
|
||||||
String* alg_name;
|
String* alg_name;
|
||||||
unsigned long time_s;
|
uint32_t time_s;
|
||||||
unsigned short time_ms;
|
uint16_t time_ms;
|
||||||
String* sig;
|
String* sig;
|
||||||
unsigned short fudge;
|
uint16_t fudge;
|
||||||
unsigned short orig_id;
|
uint16_t orig_id;
|
||||||
unsigned short rr_error;
|
uint16_t rr_error;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct RRSIG_DATA {
|
struct RRSIG_DATA {
|
||||||
unsigned short type_covered; // 16 : ExtractShort(data, len)
|
uint16_t type_covered; // 16 : ExtractShort(data, len)
|
||||||
unsigned short algorithm; // 8
|
uint8_t algorithm; // 8
|
||||||
unsigned short labels; // 8
|
uint8_t labels; // 8
|
||||||
uint32_t orig_ttl; // 32
|
uint32_t orig_ttl; // 32
|
||||||
unsigned long sig_exp; // 32
|
uint32_t sig_exp; // 32
|
||||||
unsigned long sig_incep; // 32
|
uint32_t sig_incep; // 32
|
||||||
unsigned short key_tag; // 16
|
uint16_t key_tag; // 16
|
||||||
String* signer_name;
|
String* signer_name;
|
||||||
String* signature;
|
String* signature;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct DNSKEY_DATA {
|
struct DNSKEY_DATA {
|
||||||
unsigned short dflags; // 16 : ExtractShort(data, len)
|
uint16_t dflags; // 16 : ExtractShort(data, len)
|
||||||
unsigned short dalgorithm; // 8
|
uint8_t dalgorithm; // 8
|
||||||
unsigned short dprotocol; // 8
|
uint8_t dprotocol; // 8
|
||||||
String* public_key; // Variable length Public Key
|
String* public_key; // Variable length Public Key
|
||||||
};
|
};
|
||||||
|
|
||||||
struct NSEC3_DATA {
|
struct NSEC3_DATA {
|
||||||
unsigned short nsec_flags;
|
uint16_t nsec_flags;
|
||||||
unsigned short nsec_hash_algo;
|
uint16_t nsec_hash_algo;
|
||||||
unsigned short nsec_iter;
|
uint16_t nsec_iter;
|
||||||
unsigned short nsec_salt_len;
|
uint16_t nsec_salt_len;
|
||||||
String* nsec_salt;
|
String* nsec_salt;
|
||||||
unsigned short nsec_hlen;
|
uint16_t nsec_hlen;
|
||||||
String* nsec_hash;
|
String* nsec_hash;
|
||||||
VectorValPtr bitmaps;
|
VectorValPtr bitmaps;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct NSEC3PARAM_DATA {
|
struct NSEC3PARAM_DATA {
|
||||||
unsigned short nsec_flags; // 8
|
uint8_t nsec_flags; // 8
|
||||||
unsigned short nsec_hash_algo; // 8
|
uint8_t nsec_hash_algo; // 8
|
||||||
unsigned short nsec_iter; // 16 : ExtractShort(data, len)
|
uint16_t nsec_iter; // 16 : ExtractShort(data, len)
|
||||||
unsigned short nsec_salt_len; // 8
|
uint8_t nsec_salt_len; // 8
|
||||||
String* nsec_salt; // Variable length salt
|
String* nsec_salt; // Variable length salt
|
||||||
};
|
};
|
||||||
|
|
||||||
struct DS_DATA {
|
struct DS_DATA {
|
||||||
unsigned short key_tag; // 16 : ExtractShort(data, len)
|
uint16_t key_tag; // 16 : ExtractShort(data, len)
|
||||||
unsigned short algorithm; // 8
|
uint8_t algorithm; // 8
|
||||||
unsigned short digest_type; // 8
|
uint8_t digest_type; // 8
|
||||||
String* digest_val; // Variable length Digest of DNSKEY RR
|
String* digest_val; // Variable length Digest of DNSKEY RR
|
||||||
};
|
};
|
||||||
|
|
||||||
struct BINDS_DATA {
|
struct BINDS_DATA {
|
||||||
unsigned short algorithm; // 8
|
uint8_t algorithm; // 8
|
||||||
unsigned short key_id; // 16 : ExtractShort(data, len)
|
uint8_t removal_flag; // 8
|
||||||
unsigned short removal_flag; // 8
|
uint16_t key_id; // 16 : ExtractShort(data, len)
|
||||||
uint8_t complete_flag; // 8
|
uint8_t complete_flag; // 8
|
||||||
};
|
};
|
||||||
|
|
||||||
struct LOC_DATA {
|
struct LOC_DATA {
|
||||||
unsigned short version; // 8
|
uint8_t version; // 8
|
||||||
unsigned short size; // 8
|
uint8_t size; // 8
|
||||||
unsigned short horiz_pre; // 8
|
uint8_t horiz_pre; // 8
|
||||||
unsigned short vert_pre; // 8
|
uint8_t vert_pre; // 8
|
||||||
unsigned long latitude; // 32
|
uint32_t latitude; // 32
|
||||||
unsigned long longitude; // 32
|
uint32_t longitude; // 32
|
||||||
unsigned long altitude; // 32
|
uint32_t altitude; // 32
|
||||||
};
|
};
|
||||||
|
|
||||||
struct SVCB_DATA {
|
struct SVCB_DATA {
|
||||||
|
|
@ -284,7 +284,7 @@ struct SVCB_DATA {
|
||||||
|
|
||||||
class DNS_MsgInfo {
|
class DNS_MsgInfo {
|
||||||
public:
|
public:
|
||||||
DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query);
|
DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query);
|
||||||
|
|
||||||
RecordValPtr BuildHdrVal();
|
RecordValPtr BuildHdrVal();
|
||||||
RecordValPtr BuildAnswerVal();
|
RecordValPtr BuildAnswerVal();
|
||||||
|
|
@ -303,34 +303,30 @@ public:
|
||||||
RecordValPtr BuildLOC_Val(struct LOC_DATA*);
|
RecordValPtr BuildLOC_Val(struct LOC_DATA*);
|
||||||
RecordValPtr BuildSVCB_Val(const struct SVCB_DATA&);
|
RecordValPtr BuildSVCB_Val(const struct SVCB_DATA&);
|
||||||
|
|
||||||
int id;
|
uint16_t id;
|
||||||
int opcode; ///< query type, see DNS_Opcode
|
uint8_t opcode; ///< query type, see DNS_Opcode
|
||||||
int rcode; ///< return code, see DNS_Code
|
uint16_t rcode; ///< return code, see DNS_Code
|
||||||
int QR; ///< query record flag
|
bool QR; ///< query record flag
|
||||||
int AA; ///< authoritative answer flag
|
bool AA; ///< authoritative answer flag
|
||||||
int TC; ///< truncated - size > 512 bytes for udp
|
bool TC; ///< truncated - size > 512 bytes for udp
|
||||||
int RD; ///< recursion desired
|
bool RD; ///< recursion desired
|
||||||
int RA; ///< recursion available
|
bool RA; ///< recursion available
|
||||||
int Z; ///< 3 bit field (includes AD and CD)
|
uint8_t Z; ///< 3 bit field (includes AD and CD)
|
||||||
int AD; ///< authentic data
|
bool AD; ///< authentic data
|
||||||
int CD; ///< checking disabled
|
bool CD; ///< checking disabled
|
||||||
int qdcount; ///< number of questions
|
uint16_t qdcount; ///< number of questions
|
||||||
int ancount; ///< number of answers
|
uint16_t ancount; ///< number of answers
|
||||||
int nscount; ///< number of authority RRs
|
uint16_t nscount; ///< number of authority RRs
|
||||||
int arcount; ///< number of additional RRs
|
uint16_t arcount; ///< number of additional RRs
|
||||||
int is_query; ///< whether it came from the session initiator
|
bool is_query = false; ///< whether it came from the session initiator
|
||||||
|
bool skip_event = false; ///< if true, don't generate corresponding events
|
||||||
|
|
||||||
StringValPtr query_name;
|
StringValPtr query_name;
|
||||||
RR_Type atype;
|
RR_Type atype = TYPE_ALL;
|
||||||
int aclass; ///< normally = 1, inet
|
int aclass = 0; ///< normally = 1, inet
|
||||||
uint32_t ttl;
|
uint32_t ttl = 0;
|
||||||
|
|
||||||
DNS_AnswerType answer_type;
|
DNS_AnswerType answer_type = DNS_QUESTION;
|
||||||
int skip_event; ///< if true, don't generate corresponding events
|
|
||||||
// int answer_count; ///< count of responders. if >1 and not
|
|
||||||
///< identical answer, there may be problems
|
|
||||||
// uint32* addr; ///< cache value to pass back results
|
|
||||||
///< for forward lookups
|
|
||||||
};
|
};
|
||||||
|
|
||||||
class DNS_Interpreter final {
|
class DNS_Interpreter final {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue