Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/master' into topic/johanna/dpd-changes

Browse source 
This also includes some test baseline updates, due to recent QUIC
changes.

* origin/master: (39 commits)
  Update doc submodule [nomail] [skip ci]
  Bump cluster testsuite to pull in resilience to agent connection timing [skip ci]
  IPv6 support for detect-external-names and testcase
  Add  `skip_resp_host_port_pairs` option.
  util/init_random_seed: write_file implies deterministic
  external/subdir-btest.cfg: Set OPENSSL_ENABLE_SHA1_SIGNATURES=1
  btest/x509_verify: Drop OpenSSL 1.0 hack
  testing/btest: Use OPENSSL_ENABLE_SHA1_SIGNATURES
  Add ZAM baseline for new scripts.base.protocols.quic.analyzer-confirmations btest
  QUIC/decrypt_crypto: Rename all_data to data
  QUIC: Confirm before forwarding data to SSL
  QUIC: Parse all QUIC packets in a UDP datagram
  QUIC: Only slurp till packet end, not till &eod
  Remove unused SupervisedNode::InitCluster declaration
  Update doc submodule [nomail] [skip ci]
  Bump cluster testsuite to pull in updated Prometheus tests
  Make enc_part value from kerberos response available to scripts
  Management framework: move up addition of agent IPs into deployable cluster configs
  Support multiple instances per host addr in auto metrics generation
  When auto-generating metrics ports for worker nodes, get them more uniform across instances.
  ...
This commit is contained in:
Johanna Amann 2025-02-05 09:30:48 +00:00
commit 6324445d62
96 changed files with 1882 additions and 1265 deletions
Download patch file Download diff file Expand all files Collapse all files

18
scripts/policy/protocols/dns/detect-external-names.zeek
View file

@ -15,13 +15,19 @@ export {
## **must** be set appropriately for this detection.
External_Name,
};
## Default is to ignore mDNS broadcasts.
option skip_resp_host_port_pairs: set[addr, port] = { [[224.0.0.251, [ff02::fb]], 5353/udp] };
}
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3
function detect_external_names(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
{
if ( |Site::local_zones| == 0 )
return;
if ( [c$id$resp_h, c$id$resp_p] in skip_resp_host_port_pairs )
return;
# Check for responses from remote hosts that point at local hosts
# but the name is not considered to be within a "local" zone.
if ( Site::is_local_addr(a) && # referring to a local host
@ -33,3 +39,13 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
$identifier=cat(a,ans$query)]);
}
}
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
{
detect_external_names(c, msg, ans, a);
}
event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
{
detect_external_names(c, msg, ans, a);
}