Add Conn and DNS protocol script documentation. (fixes #731)

2025-10-10 02:28:21 +00:00 · 2012-01-09 14:23:24 -06:00 · 2012-01-09 14:23:24 -06:00 · 62d012e04a
commit 62d012e04a
parent f389fb42c3
7 changed files with 148 additions and 64 deletions
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@ -4,9 +4,9 @@
 module DNS;

 export {
-	const PTR = 12;
-	const EDNS = 41;
-	const ANY = 255;
+	const PTR = 12;  ##< RR TYPE value for a domain name pointer.
+	const EDNS = 41; ##< An OPT RR TYPE value described by EDNS.
+	const ANY = 255; ##< A QTYPE value describing a request for all records.

 	## Mapping of DNS query type codes to human readable string representation.
 	const query_types = {
@ -29,50 +29,43 @@ export {
 		[ANY] = "*",
 	} &default = function(n: count): string { return fmt("query-%d", n); };

-	const code_types = {
-		[0] = "X0",
-		[1] = "Xfmt",
-		[2] = "Xsrv",
-		[3] = "Xnam",
-		[4] = "Ximp",
-		[5] = "X[",
-	} &default="?";
-
 	## Errors used for non-TSIG/EDNS types.
 	const base_errors = {
-		[0] = "NOERROR",        ##< No Error
-		[1] = "FORMERR",        ##< Format Error
-		[2] = "SERVFAIL",       ##< Server Failure
-		[3] = "NXDOMAIN",       ##< Non-Existent Domain
-		[4] = "NOTIMP",         ##< Not Implemented
-		[5] = "REFUSED",        ##< Query Refused
-		[6] = "YXDOMAIN",       ##< Name Exists when it should not
-		[7] = "YXRRSET",        ##< RR Set Exists when it should not
-		[8] = "NXRRSet",        ##< RR Set that should exist does not
-		[9] = "NOTAUTH",        ##< Server Not Authoritative for zone
-		[10] = "NOTZONE",       ##< Name not contained in zone
-		[11] = "unassigned-11", ##< available for assignment
-		[12] = "unassigned-12", ##< available for assignment
-		[13] = "unassigned-13", ##< available for assignment
-		[14] = "unassigned-14", ##< available for assignment
-		[15] = "unassigned-15", ##< available for assignment
-		[16] = "BADVERS",       ##< for EDNS, collision w/ TSIG
-		[17] = "BADKEY",        ##< Key not recognized
-		[18] = "BADTIME",       ##< Signature out of time window
-		[19] = "BADMODE",       ##< Bad TKEY Mode
-		[20] = "BADNAME",       ##< Duplicate key name
-		[21] = "BADALG",        ##< Algorithm not supported
-		[22] = "BADTRUNC",      ##< draft-ietf-dnsext-tsig-sha-05.txt
-		[3842] = "BADSIG",      ##< 16 <= number collision with EDNS(16);
-		                        ##< this is a translation from TSIG(16)
+		[0] = "NOERROR",        # No Error
+		[1] = "FORMERR",        # Format Error
+		[2] = "SERVFAIL",       # Server Failure
+		[3] = "NXDOMAIN",       # Non-Existent Domain
+		[4] = "NOTIMP",         # Not Implemented
+		[5] = "REFUSED",        # Query Refused
+		[6] = "YXDOMAIN",       # Name Exists when it should not
+		[7] = "YXRRSET",        # RR Set Exists when it should not
+		[8] = "NXRRSet",        # RR Set that should exist does not
+		[9] = "NOTAUTH",        # Server Not Authoritative for zone
+		[10] = "NOTZONE",       # Name not contained in zone
+		[11] = "unassigned-11", # available for assignment
+		[12] = "unassigned-12", # available for assignment
+		[13] = "unassigned-13", # available for assignment
+		[14] = "unassigned-14", # available for assignment
+		[15] = "unassigned-15", # available for assignment
+		[16] = "BADVERS",       # for EDNS, collision w/ TSIG
+		[17] = "BADKEY",        # Key not recognized
+		[18] = "BADTIME",       # Signature out of time window
+		[19] = "BADMODE",       # Bad TKEY Mode
+		[20] = "BADNAME",       # Duplicate key name
+		[21] = "BADALG",        # Algorithm not supported
+		[22] = "BADTRUNC",      # draft-ietf-dnsext-tsig-sha-05.txt
+		[3842] = "BADSIG",      # 16 <= number collision with EDNS(16);
+		                        # this is a translation from TSIG(16)
 	} &default = function(n: count): string { return fmt("rcode-%d", n); };

-	# This deciphers EDNS Z field values.
+	## This deciphers EDNS Z field values.
 	const edns_zfield = {
 		[0]     = "NOVALUE",    # regular entry
 		[32768] = "DNS_SEC_OK", # accepts DNS Sec RRs
 	} &default="?";

+	## Possible values of the CLASS field in resource records or QCLASS field
+	## in query messages.
 	const classes = {
 		[1]   = "C_INTERNET",
 		[2]   = "C_CSNET",
@ -81,4 +74,4 @@ export {
 		[254] = "C_NONE",
 		[255] = "C_ANY",
 	} &default = function(n: count): string { return fmt("qclass-%d", n); };
-}
+}
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -1,38 +1,80 @@
+##! Base DNS analysis script which tracks and logs DNS queries along with
+##! their responses.
+
@load ./consts

 module DNS;

 export {
+	## The DNS logging stream identifier.
 	redef enum Log::ID += { LOG };

+	## The record type which contains the column fields of the DNS log.
 	type Info: record {
+		## The earliest time at which a DNS protocol message over the
+		## associated connection is observed.
 		ts:            time               &log;
+		## A unique identifier of the connection over which DNS messages
+		## are being transferred.
 		uid:           string             &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
 		id:            conn_id            &log;
+		## The transport layer protocol of the connection.
 		proto:         transport_proto    &log;
+		## A 16 bit identifier assigned by the program that generated the
+		## DNS query.  Also used in responses to match up replies to
+		## outstanding queries.
 		trans_id:      count              &log &optional;
+		## The domain name that is the subject of the DNS query.
 		query:         string             &log &optional;
+		## The QCLASS value specifying the class of the query.
 		qclass:        count              &log &optional;
+		## A descriptive name for the class of the query.
 		qclass_name:   string             &log &optional;
+		## A QTYPE value specifying the type of the query.
 		qtype:         count              &log &optional;
+		## A descriptive name for the type of the query.
 		qtype_name:    string             &log &optional;
+		## The response code value in DNS response messages.
 		rcode:         count              &log &optional;
+		## A descriptive name for the response code value.
 		rcode_name:    string             &log &optional;
+		## Whether the message is a query (F) or response (T).
 		QR:            bool               &log &default=F;
+		## The Authoritative Answer bit for response messages specifies that
+		## the responding name server is an authority for the domain name
+		## in the question section.
 		AA:            bool               &log &default=F;
+		## The Truncation bit specifies that the message was truncated.
 		TC:            bool               &log &default=F;
+		## The Recursion Desired bit indicates to a name server to recursively
+		## purse the query.
 		RD:            bool               &log &default=F;
+		## The Recursion Available bit in a response message indicates if
+		## the name server supports recursive queries.
 		RA:            bool               &log &default=F;
+		## A reserved field that is currently supposed to be zero in all
+		## queries and responses.
 		Z:             count              &log &default=0;
+		## The set of resource descriptions in answer of the query.
 		answers:       vector of string   &log &optional;
+		## The caching intervals of the associated RRs described by the
+		## ``answers`` field.
 		TTLs:          vector of interval &log &optional;

-		## This value indicates if this request/response pair is ready to be logged.
+		## This value indicates if this request/response pair is ready to be
+		## logged.
 		ready:         bool            &default=F;
+		## The total number of resource records in a reply message's answer
+		## section.
 		total_answers: count           &optional;
+		## The total number of resource records in a reply message's answer,
+		## authority, and additional sections.
 		total_replies: count           &optional;
 	};

+	## A record type which tracks the status of DNS queries for a given
+	## :bro:type:`connection`.
 	type State: record {
 		## Indexed by query id, returns Info record corresponding to
 		## query/response which haven't completed yet.
@ -44,11 +86,21 @@ export {
 		finished_answers: set[count] &optional;
 	};

+	## An event that can be handled to access the :bro:type:`DNS::Info`
+	## record as it is sent to the logging framework.
 	global log_dns: event(rec: Info);

 	## This is called by the specific dns_*_reply events with a "reply" which
 	## may not represent the full data available from the resource record, but
 	## it's generally considered a summarization of the response(s).
+	##
+	## c: The connection record for which to fill in DNS reply data.
+	##
+	## msg: The DNS message header information for the response.
+	##
+	## ans: The general information of a RR response.
+	##
+	## reply: The specific response information according to RR type/class.
 	global do_reply: event(c: connection, msg: dns_msg, ans: dns_answer, reply: string);
 }