Merge remote-tracking branch 'origin/topic/johanna/jbaggs-ignore-mdns'

* origin/topic/johanna/jbaggs-ignore-mdns:
  IPv6 support for detect-external-names and testcase
  Add  `skip_resp_host_port_pairs` option.

CHANGES

@@ -1,3 +1,11 @@
+7.2.0-dev.156 | 2025-02-05 09:05:00 +0000
+
+  * IPv6 support for detect-external-names and testcase (Johanna Amann, Corelight)
+
+  * Add  `skip_resp_host_port_pairs` option to policy/protocols/dns/detect-external-names.zeek.
+    This option allows to skip the detection of external names for certain addresses.
+    By default this is set so that mDNS broadcasts no longer are logged as extenal. (jbaggs)
+
 7.2.0-dev.152 | 2025-02-04 14:50:36 -0800
 
   * Bump cluster testsuite to pull in resilience to agent connection timing [skip ci] (Christian Kreibich, Corelight)

NEWS

@@ -31,6 +31,12 @@ Changed Functionality
   A subsequent ``--load-seeds`` run with the same scripts and traces will produce
   identical UID values as the original ``--save-seeds` run.
 
+- The `policy/protocols/dns/detect-external-names.zeek` script now no longer logs
+  names that were found in mDNS broadcasts by default. This is configurable with
+  the new `DNS::skip_resp_host_port_pairs` option.
+
+  Furthermore, the script now supports and logs IPv6 results.
+
 Removed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-7.2.0-dev.152
+7.2.0-dev.156

scripts/policy/protocols/dns/detect-external-names.zeek

@@ -15,13 +15,19 @@ export {
 		## **must** be set appropriately for this detection.
 		External_Name,
 		};
+
+	## Default is to ignore mDNS broadcasts.
+	option skip_resp_host_port_pairs: set[addr, port] = { [[224.0.0.251, [ff02::fb]], 5353/udp] };
 }
 
-event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3
+function detect_external_names(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
 	{
 	if ( |Site::local_zones| == 0 )
 		return;
 
+	if ( [c$id$resp_h, c$id$resp_p] in skip_resp_host_port_pairs )
+		return;
+
 	# Check for responses from remote hosts that point at local hosts
 	# but the name is not considered to be within a "local" zone.
 	if ( Site::is_local_addr(a) &&            # referring to a local host
@@ -33,3 +39,13 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 		        $identifier=cat(a,ans$query)]);
 		}
 	}
+
+event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
+	{
+	detect_external_names(c, msg, ans, a);
+	}
+
+event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
+	{
+	detect_external_names(c, msg, ans, a);
+	}

testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast-2/notice.log

@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4	5353	ff02::fb	5353	-	-	-	udp	DNS::External_Name	johanna-qemu-virtual-machine.local is pointing to a local host - fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4.	-	fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4	ff02::fb	5353	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4	5353	ff02::fb	5353	-	-	-	udp	DNS::External_Name	johanna-qemu-virtual-machine.local is pointing to a local host - fd52:429e:c03c:8235:5968:5bc6:1563:f82f.	-	fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4	ff02::fb	5353	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.2.7	5353	224.0.0.251	5353	-	-	-	udp	DNS::External_Name	johanna-qemu-virtual-machine.local is pointing to a local host - 10.0.2.7.	-	10.0.2.7	224.0.0.251	5353	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast/notice.log

@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

testing/btest/scripts/policy/protocols/dns/detect-external-names-mdns-broadcast.zeek

@@ -0,0 +1,27 @@
+# Test verifies that mDNS broadcasts are not logged by default.
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/mdns.pcap %INPUT
+# @TEST-EXEC: touch notice.log
+# @TEST-EXEC: btest-diff notice.log
+
+##! First test - no log
+
+@load base/protocols/dns
+@load policy/protocols/dns/detect-external-names
+
+redef Site::local_zones +=  {"example.inalid"};
+
+@TEST-START-NEXT
+
+##! second test - should output log due to changed config
+
+@load base/protocols/dns
+@load policy/protocols/dns/detect-external-names
+@load base/frameworks/config
+
+redef Site::local_zones +=  {"example.inalid"};
+
+event zeek_init()
+	{
+	print Site::local_nets;
+	Config::set_value("DNS::skip_resp_host_port_pairs", set());
+	}