diff --git a/NEWS b/NEWS index a9360d2eec..2b0bd95481 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,30 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as BroControl and Broccoli, come with their own ``CHANGES``.) +Bro 2.7 +======= + +New Functionality +----------------- + +- Added support for DNSSEC resource records RRSIG, DNSKEY, DS, NSEC, and NSEC3. + The associated events are: + + - dns_RRSIG + - dns_DNSKEY + - dns_DS + - dns_NSEC + - dns_NSEC3 + +Changed Functionality +--------------------- + +Removed Functionality +--------------------- + +Deprecated Functionality +------------------------ + Bro 2.6 ======= diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 93bcc203b7..3f13bd232a 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3544,6 +3544,67 @@ type dns_tsig_additional: record { is_query: count; ##< TODO. }; +## A DNSSEC RRSIG record. +## +## .. bro:see:: dns_RRSIG +type dns_rrsig_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + type_covered: count; ##< qtype covered by RRSIG RR. + algorithm: count; ##< Algorithm. + labels: count; ##< Labels in the owner's name. + orig_ttl: interval; ##< Original TTL. + sig_exp: time; ##< Time when signed RR expires. + sig_incep: time; ##< Time when signed. + key_tag: count; ##< Key tag value. + signer_name: string; ##< Signature. + signature: string; ##< Hash of the RRDATA. + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC DNSKEY record. +## +## .. bro:see:: dns_DNSKEY +type dns_dnskey_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + flags: count; ##< flags filed. + protocol: count; ##< Protocol, should be always 3 for DNSSEC. + algorithm: count; ##< Algorithm for Public Key. + public_key: string; ##< Public Key + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC NSEC3 record. +## +## .. bro:see:: dns_NSEC3 +type dns_nsec3_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + nsec_flags: count; ##< flags field. + nsec_hash_algo: count; ##< Hash algorithm. + nsec_iter: count; ##< Iterations. + nsec_salt_len: count; ##< Salt length. + nsec_salt: string; ##< Salt value + nsec_hlen: count; ##< Hash length. + nsec_hash: string; ##< Hash value. + bitmaps: string_vec; ##< Type Bit Maps. + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC DS record. +## +## .. bro:see:: dns_DS +type dns_ds_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + key_tag: count; ##< flags filed. + algorithm: count; ##< Algorithm for Public Key. + digest_type: count; ##< Digest Type. + digest_val: string; ##< Digest Value. + is_query: count; ##< The RR is a query/Response. +}; + # DNS answer types. # # .. bro:see:: dns_answerr diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro index dfcbc4031f..92ef314d09 100644 --- a/scripts/base/protocols/dns/consts.bro +++ b/scripts/base/protocols/dns/consts.bro @@ -76,4 +76,37 @@ export { [254] = "C_NONE", [255] = "C_ANY", } &default = function(n: count): string { return fmt("qclass-%d", n); }; + + ## Possible values of the algorithms used in DNSKEY, DS and RRSIG records + const algorithms = { + [0] = "reserved0", + [1] = "RSA_MD5", + [2] = "Diffie_Hellman", + [3] = "DSA_SHA1", + [4] = "Elliptic_Curve", + [5] = "RSA_SHA1", + [6] = "DSA_NSEC3_SHA1", + [7] = "RSA_SHA1_NSEC3_SHA1", + [8] = "RSA_SHA256", + [10] = "RSA_SHA512", + [12] = "GOST_R_34_10_2001", + [13] = "ECDSA_curveP256withSHA256", + [14] = "ECDSA_curveP384withSHA384", + [15] = "Ed25519", + [16] = "Ed448", + [252] = "Indirect", + [253] = "PrivateDNS", + [254] = "PrivateOID", + [255] = "reserved255", + } &default = function(n: count): string { return fmt("algorithm-%d", n); }; + + ## Possible digest types used in DNSSEC. + const digests = { + [0] = "reserved0", + [1] = "SHA1", + [2] = "SHA256", + [3] = "GOST_R_34_11_94", + [4] = "SHA384", + } &default = function(n: count): string { return fmt("digest-%d", n); }; + } diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index a6104e12a3..300b1ef784 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -466,6 +466,38 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string # # } +event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) + { + local s: string; + s = fmt("RRSIG %s %s", rrsig$type_covered, + rrsig$signer_name == "" ? "" : rrsig$signer_name); + hook DNS::do_reply(c, msg, ans, s); + } + +event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) + { + local s: string; + s = fmt("DNSKEY %s", dnskey$algorithm); + hook DNS::do_reply(c, msg, ans, s); + } + +event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) + { + hook DNS::do_reply(c, msg, ans, fmt("NSEC %s %s", ans$query, next_name)); + } + +event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) + { + hook DNS::do_reply(c, msg, ans, "NSEC3"); + } + +event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) + { + local s: string; + s = fmt("DS %s %s", ds$algorithm, ds$digest_type); + hook DNS::do_reply(c, msg, ans, s); + } + event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5 { if ( c?$dns ) diff --git a/src/NetVar.cc b/src/NetVar.cc index 93533b9627..57a5452123 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -115,6 +115,10 @@ RecordType* dns_answer; RecordType* dns_soa; RecordType* dns_edns_additional; RecordType* dns_tsig_additional; +RecordType* dns_rrsig_rr; +RecordType* dns_dnskey_rr; +RecordType* dns_nsec3_rr; +RecordType* dns_ds_rr; TableVal* dns_skip_auth; TableVal* dns_skip_addl; int dns_skip_all_auth; @@ -430,7 +434,10 @@ void init_net_var() internal_type("dns_edns_additional")->AsRecordType(); dns_tsig_additional = internal_type("dns_tsig_additional")->AsRecordType(); - + dns_rrsig_rr = internal_type("dns_rrsig_rr")->AsRecordType(); + dns_dnskey_rr = internal_type("dns_dnskey_rr")->AsRecordType(); + dns_nsec3_rr = internal_type("dns_nsec3_rr")->AsRecordType(); + dns_ds_rr = internal_type("dns_ds_rr")->AsRecordType(); dns_skip_auth = internal_val("dns_skip_auth")->AsTableVal(); dns_skip_addl = internal_val("dns_skip_addl")->AsTableVal(); dns_skip_all_auth = opt_internal_int("dns_skip_all_auth"); diff --git a/src/NetVar.h b/src/NetVar.h index 023be18867..1dee27f372 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -118,6 +118,10 @@ extern RecordType* dns_answer; extern RecordType* dns_soa; extern RecordType* dns_edns_additional; extern RecordType* dns_tsig_additional; +extern RecordType* dns_rrsig_rr; +extern RecordType* dns_dnskey_rr; +extern RecordType* dns_nsec3_rr; +extern RecordType* dns_ds_rr; extern TableVal* dns_skip_auth; extern TableVal* dns_skip_addl; extern int dns_skip_all_auth; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 145d19950f..d0b7940cee 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -312,6 +312,26 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, status = ParseRR_TSIG(msg, data, len, rdlength, msg_start); break; + case TYPE_RRSIG: + status = ParseRR_RRSIG(msg, data, len, rdlength, msg_start); + break; + + case TYPE_DNSKEY: + status = ParseRR_DNSKEY(msg, data, len, rdlength, msg_start); + break; + + case TYPE_NSEC: + status = ParseRR_NSEC(msg, data, len, rdlength, msg_start); + break; + + case TYPE_NSEC3: + status = ParseRR_NSEC3(msg, data, len, rdlength, msg_start); + break; + + case TYPE_DS: + status = ParseRR_DS(msg, data, len, rdlength, msg_start); + break; + default: if ( dns_unknown_reply && ! msg->skip_event ) @@ -724,6 +744,17 @@ void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len, len -= dlen; } +BroString* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int l) + { + l = max(l, 0); + int dlen = min(len, l); // Len in bytes of the algorithm use + auto rval = new BroString(data, dlen, 0); + + data += dlen; + len -= dlen; + return rval; + } + int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start) @@ -769,6 +800,389 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, return 1; } +int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_RRSIG || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return 1; + } + + if ( len < 18 ) + return 0; + + unsigned int type_covered = ExtractShort(data, len); + // split the two bytes for algo and labels extraction + uint32 algo_lab = ExtractShort(data, len); + unsigned int algo = (algo_lab >> 8) & 0xff; + unsigned int lab = algo_lab & 0xff; + + uint32 orig_ttl = ExtractLong(data, len); + uint32 sign_exp = ExtractLong(data, len); + uint32 sign_incp = ExtractLong(data, len); + unsigned int key_tag = ExtractShort(data, len); + + //implement signer's name with the msg_start offset + const u_char* data_start = data; + u_char name[513]; + int name_len = sizeof(name) - 1; + + u_char* name_end = ExtractName(data, len, name, name_len, msg_start); + if ( ! name_end ) + return 0; + + int sig_len = rdlength - ((data - data_start) + 18); + DNSSEC_Algo dsa = DNSSEC_Algo(algo); + BroString* sign = ExtractStream(data, len, sig_len); + + switch ( dsa ) { + case RSA_MD5: + analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", fmt("%d", algo)); + break; + case Diffie_Hellman: + break; + case DSA_SHA1: + break; + case Elliptic_Curve: + break; + case RSA_SHA1: + break; + case DSA_NSEC3_SHA1: + break; + case RSA_SHA1_NSEC3_SHA1: + break; + case RSA_SHA256: + break; + case RSA_SHA512: + break; + case GOST_R_34_10_2001: + break; + case ECDSA_curveP256withSHA256: + break; + case ECDSA_curveP384withSHA384: + break; + case Indirect: + analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", fmt("%d", algo)); + break; + case PrivateDNS: + analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", fmt("%d", algo)); + break; + case PrivateOID: + analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", fmt("%d", algo)); + break; + default: + analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", fmt("%d", algo)); + break; + } + + RRSIG_DATA rrsig; + rrsig.type_covered = type_covered; + rrsig.algorithm = algo; + rrsig.labels = lab; + rrsig.orig_ttl = orig_ttl; + rrsig.sig_exp = sign_exp; + rrsig.sig_incep = sign_incp; + rrsig.key_tag = key_tag; + rrsig.signer_name = new BroString(name, name_end - name, 1); + rrsig.signature = sign; + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(msg->BuildRRSIG_Val(&rrsig)); + + analyzer->ConnectionEvent(dns_RRSIG, vl); + + return 1; + } + +int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_DNSKEY || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return 1; + } + + if ( len < 4 ) + return 0; + + auto dflags = ExtractShort(data, len); + // split the two bytes for protocol and algorithm extraction + auto proto_algo = ExtractShort(data, len); + unsigned int dprotocol = (proto_algo >> 8) & 0xff; + unsigned int dalgorithm = proto_algo & 0xff; + DNSSEC_Algo dsa = DNSSEC_Algo(dalgorithm); + //Evaluating the size of remaining bytes for Public Key + BroString* key = ExtractStream(data, len, rdlength - 4); + + if ( dflags != 256 and dflags != 257 and dflags != 0 ) + analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", fmt("%d", dflags)); + + if ( dprotocol != 3 ) + analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", fmt("%d", dprotocol)); + + switch ( dsa ) { + case RSA_MD5: + analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + case Diffie_Hellman: + break; + case DSA_SHA1: + break; + case Elliptic_Curve: + break; + case RSA_SHA1: + break; + case DSA_NSEC3_SHA1: + break; + case RSA_SHA1_NSEC3_SHA1: + break; + case RSA_SHA256: + break; + case RSA_SHA512: + break; + case GOST_R_34_10_2001: + break; + case ECDSA_curveP256withSHA256: + break; + case ECDSA_curveP384withSHA384: + break; + case Indirect: + analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + case PrivateDNS: + analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + case PrivateOID: + analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + default: + analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + } + + DNSKEY_DATA dnskey; + dnskey.dflags = dflags; + dnskey.dalgorithm = dalgorithm; + dnskey.dprotocol = dprotocol; + dnskey.public_key = key; + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(msg->BuildDNSKEY_Val(&dnskey)); + + analyzer->ConnectionEvent(dns_DNSKEY, vl); + + return 1; + } + +int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_NSEC || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return 1; + } + + const u_char* data_start = data; + u_char name[513]; + int name_len = sizeof(name) - 1; + + u_char* name_end = ExtractName(data, len, name, name_len, msg_start); + if ( ! name_end ) + return 0; + + int typebitmaps_len = rdlength - (data - data_start); + + VectorVal* char_strings = new VectorVal(string_vec); + + while ( typebitmaps_len > 0 && len > 0 ) + { + uint32 block_bmlen = ExtractShort(data, len); + unsigned int win_blck = (block_bmlen >> 8) & 0xff; + unsigned int bmlen = block_bmlen & 0xff; + + if ( bmlen == 0 ) + { + analyzer->Weird("DNSSEC_NSEC_bitmapLen0", fmt("%d", win_blck)); + break; + } + + BroString* bitmap = ExtractStream(data, len, bmlen); + char_strings->Assign(char_strings->Size(), new StringVal(bitmap)); + typebitmaps_len = typebitmaps_len - (2 + bmlen); + } + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(new StringVal(new BroString(name, name_end - name, 1))); + vl->append(char_strings); + + analyzer->ConnectionEvent(dns_NSEC, vl); + + return 1; + } + +int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_NSEC3 || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return 1; + } + + if ( len < 6 ) + return 0; + + const u_char* data_start = data; + uint32 halgo_flags = ExtractShort(data, len); + unsigned int hash_algo = (halgo_flags >> 8) & 0xff; + unsigned int nsec_flags = halgo_flags & 0xff; + unsigned int iter = ExtractShort(data, len); + + uint8 salt_len = 0; + + if ( len > 0 ) + { + salt_len = data[0]; + ++data; + --len; + } + + auto salt_val = ExtractStream(data, len, static_cast(salt_len)); + + uint8 hash_len = 0; + + if ( len > 0 ) + { + hash_len = data[0]; + ++data; + --len; + } + + auto hash_val = ExtractStream(data, len, static_cast(hash_len)); + + int typebitmaps_len = rdlength - (data - data_start); + + VectorVal* char_strings = new VectorVal(string_vec); + + while ( typebitmaps_len > 0 && len > 0 ) + { + uint32 block_bmlen = ExtractShort(data, len); + unsigned int win_blck = ( block_bmlen >> 8) & 0xff; + unsigned int bmlen = block_bmlen & 0xff; + + if ( bmlen == 0 ) + { + analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", fmt("%d", win_blck)); + break; + } + + BroString* bitmap = ExtractStream(data, len, bmlen); + char_strings->Assign(char_strings->Size(), new StringVal(bitmap)); + typebitmaps_len = typebitmaps_len - (2 + bmlen); + } + + NSEC3_DATA nsec3; + nsec3.nsec_flags = nsec_flags; + nsec3.nsec_hash_algo = hash_algo; + nsec3.nsec_iter = iter; + nsec3.nsec_salt_len = salt_len; + nsec3.nsec_salt = salt_val; + nsec3.nsec_hlen = hash_len; + nsec3.nsec_hash = hash_val; + nsec3.bitmaps = char_strings; + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(msg->BuildNSEC3_Val(&nsec3)); + + analyzer->ConnectionEvent(dns_NSEC3, vl); + + return 1; + } + +int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_DS || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return 1; + } + + if ( len < 4 ) + return 0; + + unsigned int ds_key_tag = ExtractShort(data, len); + // split the two bytes for algorithm and digest type extraction + uint32 ds_algo_dtype = ExtractShort(data, len); + unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff; + unsigned int ds_dtype = ds_algo_dtype & 0xff; + DNSSEC_Digest ds_digest_type = DNSSEC_Digest(ds_dtype); + BroString* ds_digest = ExtractStream(data, len, rdlength - 4); + + switch ( ds_digest_type ) { + case SHA1: + break; + case SHA256: + break; + case GOST_R_34_11_94: + break; + case SHA384: + break; + case reserved0: + analyzer->Weird("DNSSEC_DS_ResrevedDigestType", fmt("%d", ds_dtype)); + break; + default: + analyzer->Weird("DNSSEC_DS_unknown_DigestType", fmt("%d", ds_dtype)); + break; + } + + DS_DATA ds; + ds.key_tag = ds_key_tag; + ds.algorithm = ds_algo; + ds.digest_type = ds_dtype; + ds.digest_val = ds_digest; + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(msg->BuildDS_Val(&ds)); + + analyzer->ConnectionEvent(dns_DS, vl); + + return 1; + } + int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength) { @@ -1063,7 +1477,7 @@ Val* DNS_MsgInfo::BuildEDNS_Val() // Need to break the TTL field into three components: // initial: [------------- ttl (32) ---------------------] - // after: [DO][ ext rcode (7)][ver # (8)][ Z field (16)] + // after: [ ext rcode (8)][ver # (8)][ Z field (16) ] unsigned int ercode = (ttl >> 24) & 0xff; unsigned int version = (ttl >> 16) & 0xff; @@ -1104,6 +1518,79 @@ Val* DNS_MsgInfo::BuildTSIG_Val() return r; } +Val* DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig) + { + RecordVal* r = new RecordVal(dns_rrsig_rr); + + Ref(query_name); + r->Assign(0, query_name); + r->Assign(1, new Val(int(answer_type), TYPE_COUNT)); + r->Assign(2, new Val(rrsig->type_covered, TYPE_COUNT)); + r->Assign(3, new Val(rrsig->algorithm, TYPE_COUNT)); + r->Assign(4, new Val(rrsig->labels, TYPE_COUNT)); + r->Assign(5, new IntervalVal(double(rrsig->orig_ttl), Seconds)); + r->Assign(6, new Val(double(rrsig->sig_exp), TYPE_TIME)); + r->Assign(7, new Val(double(rrsig->sig_incep), TYPE_TIME)); + r->Assign(8, new Val(rrsig->key_tag, TYPE_COUNT)); + r->Assign(9, new StringVal(rrsig->signer_name)); + r->Assign(10, new StringVal(rrsig->signature)); + r->Assign(11, new Val(is_query, TYPE_COUNT)); + + return r; + } + +Val* DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey) + { + RecordVal* r = new RecordVal(dns_dnskey_rr); + + Ref(query_name); + r->Assign(0, query_name); + r->Assign(1, new Val(int(answer_type), TYPE_COUNT)); + r->Assign(2, new Val(dnskey->dflags, TYPE_COUNT)); + r->Assign(3, new Val(dnskey->dprotocol, TYPE_COUNT)); + r->Assign(4, new Val(dnskey->dalgorithm, TYPE_COUNT)); + r->Assign(5, new StringVal(dnskey->public_key)); + r->Assign(6, new Val(is_query, TYPE_COUNT)); + + return r; + } + +Val* DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3) + { + RecordVal* r = new RecordVal(dns_nsec3_rr); + + Ref(query_name); + r->Assign(0, query_name); + r->Assign(1, new Val(int(answer_type), TYPE_COUNT)); + r->Assign(2, new Val(nsec3->nsec_flags, TYPE_COUNT)); + r->Assign(3, new Val(nsec3->nsec_hash_algo, TYPE_COUNT)); + r->Assign(4, new Val(nsec3->nsec_iter, TYPE_COUNT)); + r->Assign(5, new Val(nsec3->nsec_salt_len, TYPE_COUNT)); + r->Assign(6, new StringVal(nsec3->nsec_salt)); + r->Assign(7, new Val(nsec3->nsec_hlen, TYPE_COUNT)); + r->Assign(8, new StringVal(nsec3->nsec_hash)); + r->Assign(9, nsec3->bitmaps); + r->Assign(10, new Val(is_query, TYPE_COUNT)); + + return r; + } + +Val* DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) + { + RecordVal* r = new RecordVal(dns_ds_rr); + + Ref(query_name); + r->Assign(0, query_name); + r->Assign(1, new Val(int(answer_type), TYPE_COUNT)); + r->Assign(2, new Val(ds->key_tag, TYPE_COUNT)); + r->Assign(3, new Val(ds->algorithm, TYPE_COUNT)); + r->Assign(4, new Val(ds->digest_type, TYPE_COUNT)); + r->Assign(5, new StringVal(ds->digest_val)); + r->Assign(6, new Val(is_query, TYPE_COUNT)); + + return r; + } + Contents_DNS::Contents_DNS(Connection* conn, bool orig, DNS_Interpreter* arg_interp) : tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 58a263637e..f095fe96fa 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -57,7 +57,12 @@ typedef enum { TYPE_TKEY = 249, ///< Transaction Key (RFC 2930) TYPE_TSIG = 250, ///< Transaction Signature (RFC 2845) TYPE_CAA = 257, ///< Certification Authority Authorization (RFC 6844) - + // DNSSEC RR's + TYPE_RRSIG = 46, ///< RR Signature record type (RFC4043) + TYPE_NSEC = 47, ///< Next Secure record (RFC4043) + TYPE_DNSKEY = 48, ///< DNS Key record (RFC 4034) + TYPE_DS = 43, ///< Delegation signer (RFC 4034) + TYPE_NSEC3 = 50, // The following are only valid in queries. TYPE_AXFR = 252, TYPE_ALL = 255, @@ -75,6 +80,33 @@ typedef enum { DNS_ADDITIONAL, } DNS_AnswerType; +typedef enum { + reserved0 = 0, + RSA_MD5 = 1, ///< [RFC2537] NOT RECOMMENDED + Diffie_Hellman = 2, ///< [RFC2539] + DSA_SHA1 = 3, ///< [RFC2536] OPTIONAL + Elliptic_Curve = 4, + RSA_SHA1 = 5, ///< [RFC3110] MANDATORY + DSA_NSEC3_SHA1 = 6, + RSA_SHA1_NSEC3_SHA1 = 7, + RSA_SHA256 = 8, + RSA_SHA512 = 10, + GOST_R_34_10_2001 = 12, + ECDSA_curveP256withSHA256 = 13, + ECDSA_curveP384withSHA384 =14, + Indirect = 252, ///< + PrivateDNS = 253, ///< OPTIONAL + PrivateOID = 254, ///< OPTIONAL + reserved255 = 255, +} DNSSEC_Algo; + +typedef enum { + reserved = 0, + SHA1 = 1, ///< [RFC3110] MANDATORY + SHA256 = 2, + GOST_R_34_11_94 = 3, + SHA384 = 4, +} DNSSEC_Digest; struct DNS_RawMsgHdr { unsigned short id; @@ -105,6 +137,43 @@ struct TSIG_DATA { unsigned short rr_error; }; +struct RRSIG_DATA { + unsigned short type_covered; // 16 : ExtractShort(data, len) + unsigned short algorithm; // 8 + unsigned short labels; // 8 + uint32 orig_ttl; // 32 + unsigned long sig_exp; // 32 + unsigned long sig_incep; // 32 + unsigned short key_tag; //16 + BroString* signer_name; + BroString* signature; +}; + +struct DNSKEY_DATA { + unsigned short dflags; // 16 : ExtractShort(data, len) + unsigned short dalgorithm; // 8 + unsigned short dprotocol; // 8 + BroString* public_key; // Variable lenght Public Key +}; + +struct NSEC3_DATA { + unsigned short nsec_flags; + unsigned short nsec_hash_algo; + unsigned short nsec_iter; + unsigned short nsec_salt_len; + BroString* nsec_salt; + unsigned short nsec_hlen; + BroString* nsec_hash; + VectorVal* bitmaps; +}; + +struct DS_DATA { + unsigned short key_tag; // 16 : ExtractShort(data, len) + unsigned short algorithm; // 8 + unsigned short digest_type; // 8 + BroString* digest_val; // Variable lenght Digest of DNSKEY RR +}; + class DNS_MsgInfo { public: DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query); @@ -114,6 +183,10 @@ public: Val* BuildAnswerVal(); Val* BuildEDNS_Val(); Val* BuildTSIG_Val(); + Val* BuildRRSIG_Val(struct RRSIG_DATA*); + Val* BuildDNSKEY_Val(struct DNSKEY_DATA*); + Val* BuildNSEC3_Val(struct NSEC3_DATA*); + Val* BuildDS_Val(struct DS_DATA*); int id; int opcode; ///< query type, see DNS_Opcode @@ -143,8 +216,7 @@ public: ///< for forward lookups // More values for spesific DNS types. - // struct EDNS_ADDITIONAL* edns; - + //struct EDNS_ADDITIONAL* edns; struct TSIG_DATA* tsig; }; @@ -183,6 +255,8 @@ protected: uint32 ExtractLong(const u_char*& data, int& len); void ExtractOctets(const u_char*& data, int& len, BroString** p); + BroString* ExtractStream(const u_char*& data, int& len, int sig_len); + int ParseRR_Name(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start); @@ -218,7 +292,21 @@ protected: int ParseRR_TSIG(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start); - + int ParseRR_RRSIG(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + int ParseRR_DNSKEY(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + int ParseRR_NSEC(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + int ParseRR_NSEC3(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + int ParseRR_DS(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); void SendReplyOrRejectEvent(DNS_MsgInfo* msg, EventHandlerPtr event, const u_char*& data, int& len, BroString* question_name); @@ -270,7 +358,6 @@ public: void Done() override; void ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer, int gen_event) override; - void ExpireTimer(double t); static analyzer::Analyzer* Instantiate(Connection* conn) diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index ae796c8e4c..6fe741d4d9 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -493,6 +493,73 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); +## Generated for DNS replies of type *RRSIG*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## rrsig: The parsed RRSIG record. +event dns_RRSIG%(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr%); + +## Generated for DNS replies of type *DNSKEY*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## dnskey: The parsed DNSKEY record. +event dns_DNSKEY%(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr%); + +## Generated for DNS replies of type *NSEC*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## next_name: The parsed next secure domain name. +## +## bitmaps: vector of strings in hex for the bit maps present. +event dns_NSEC%(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec%); + +## Generated for DNS replies of type *NSEC3*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## nsec3: The parsed RDATA of Nsec3 record. +event dns_NSEC3%(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr%); + +## Generated for DNS replies of type *DS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## ds: The parsed RDATA of DS record. +event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%); + ## Generated at the end of processing a DNS packet. This event is the last ## ``dns_*`` event that will be raised for a DNS query/reply and signals that ## all resource records have been passed on. diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log index 80f04fdbfa..5b3ec2a72d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path dns -#open 2016-07-13-16-16-11 +#open 2018-09-21-21-01-10 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected #types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -1359565680.761790 CHhAvVGS1DHFjwGM9 192.168.6.10 53209 192.168.129.36 53 udp 41477 0.075138 paypal.com 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 1 ,,, 455.000000,455.000000,455.000000,455.000000 F -#close 2016-07-13-16-16-11 +1359565680.761790 CHhAvVGS1DHFjwGM9 192.168.6.10 53209 192.168.129.36 53 udp 41477 0.075138 paypal.com 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 1 DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com 455.000000,455.000000,455.000000,455.000000 F +#close 2018-09-21-21-01-10 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log new file mode 100644 index 0000000000..0382413627 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-09-21-21-02-08 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1537557808.534727 CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 22666 0.018166 upenn.edu 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 2 DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu 5.000000,5.000000,5.000000,3444.000000,3444.000000 F +#close 2018-09-21-21-02-08 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/output b/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/output new file mode 100644 index 0000000000..af82aa170f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/output @@ -0,0 +1,5 @@ +DNSKEY, [query=upenn.edu, answer_type=1, flags=256, protocol=3, algorithm=5, public_key=\x03\x01\x00\x01\xa83\xd4\x99\xe7\x9bz\x7f\xe8\xf4\x15\xeb\x80F\xc9\x1e\xfdo5\xff\x8dAd\xa8\x84\x81\xa2PB\xfc\xc6{!\x1f\xd9\xfc/\x08S_\x97\x89O;\x09\x1a*\x99\x94\x19"\x90\xf8R\xcb\xad\x10\x00\xd4\xef\x91\x02\x16\xab\x1f\xb2\xee\xe8\xde\x06\x95\xb2\x8c\x8f\x03\xe3\x8a,\x06\x99X\x11\xae\x0d\x9f\xcf\xe8\x15\xb9\xd0\xc3\x02%\xbfI\x8bC\x1e \xc3\xdb]\x9e\xda\xc4\xbf\xdf\x97\xfe\xf6.\x8cr\x00zhW\xdd\x08\xd9\x996?\x19''\xa0\x8f, is_query=0], 03010001a833d499e79b7a7fe8f415eb8046c91efd6f35ff8d4164a88481a25042fcc67b211fd9fc2f08535f97894f3b091a2a9994192290f852cbad1000d4ef910216ab1fb2eee8de0695b28c8f03e38a2c06995811ae0d9fcfe815b9d0c30225bf498b431e20c3db5d9edac4bfdf97fef62e8c72007a6857dd08d999363f192727a08f +DNSKEY, [query=upenn.edu, answer_type=1, flags=256, protocol=3, algorithm=5, public_key=\x03\x01\x00\x01\xf7a\x0b\x04\x88\x99/\xef\xaaS\xd5\xeet\x0c< \xa3w\xb3\xfc\xcd\xad\xfc(k\x12)i\xdd\xc1\xf6S.a\x8b\xd3\x15, is_query=0], 74cafde3337601d748699c356aa7da322ea79f4f7fadd8b4023a77a393576779bac453be194f2441e01f44ec9d4cf1df7a82b4ddf2824ba22bcc89e6c66dfb1aebc429368e38c6188b61c68ae958bd7a4954155b688168488995c90b810593bec0b38dbec0a4a061eac209a7d5092f1775a8523f9ed39e1732483a83b6c6b56313b4fc1ba1fd94d0d73aa539e96f7a3b7515525dd90958712d0665930323e594c9e742a4704319daa991a8edd6ad0eee84e92f90f2bd16120b036acfb67588b75b1a4f7ff2434bcc53881dd0130bfea9584a695106e32221c245d5739d3fbfcd6ef18702244f9b0a9c0681c456f32d07743e286b122969ddc1f6532e618bd315 +RRSIG, [query=upenn.edu, answer_type=1, type_covered=48, algorithm=5, labels=2, orig_ttl=2.0 hrs, sig_exp=1538431668.0, sig_incep=1535838004.0, key_tag=50475, signer_name=upenn.edu, signature=S\x88\xbd\x1aP\xb4]\xc3y\xeb\xb1\xc0\xb8\x12~\x8f\xfc\x94\xf8\xa90`\xc5\x93\x8c[\xcb\xf5\xdc(J\x9e\xaf\x9854!\xd9\xca\xb1\xd5>\xab\xe2\xa2\xc7q\xb3\xf1\xcf\xf50\x7fc\x83Z\x9af\xcb\xcb\xae\x8f\xcc\xe5\xa6@}\x8cG\xdf\xe2?\xe405\xff\xdf\xf9|\xd61\xb3\xb2M+\xc9y"\x93\xd0\xc6\xee\xa0o\xbb\x87\xdaa\x92Q\xef\xfds\x9e\xf7\xcbw\x7fL\xc6\x06\xe4\x95\xd3j\xc6e\x1a-\xb6C}e\xdb3\x88m\xd0, is_query=0], 5388bd1a50b45dc379ebb1c0b8127e8ffc94f8a93060c5938c5bcbf5dc284a9eaf98353421d9cab1d53eabe2a2c771b3f1cff5307f63835a9a66cbcbae8fcce5a6407d8c47dfe23fe43035ffdff97cd631b3b24d2bc9792293d0c6eea06fbb87da619251effd739ef7cb777f4cc606e495d36ac6651a2db6437d65db33886dd0 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log new file mode 100644 index 0000000000..d5ac66b29a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-09-21-21-02-51 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1537557828.343603 CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 39080 0.017821 upenn.edu 1 C_INTERNET 43 DS 0 NOERROR F F T T 2 DS 5 1,DS 5 2,RRSIG 43 edu 5.000000,5.000000,5.000000 F +#close 2018-09-21-21-02-51 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.ds/output b/testing/btest/Baseline/scripts.base.protocols.dns.ds/output new file mode 100644 index 0000000000..63ba1c8d1d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.ds/output @@ -0,0 +1,3 @@ +DS, [query=upenn.edu, answer_type=1, key_tag=18463, algorithm=5, digest_type=1, digest_val=\x0cE\xb3\xd0\x90\xb2!\xe0\xe3;\xbe\xb5\xa6\x19\xd8\x94\x16\xba\xf1\x97, is_query=0], 0c45b3d090b221e0e33bbeb5a619d89416baf197 +DS, [query=upenn.edu, answer_type=1, key_tag=18463, algorithm=5, digest_type=2, digest_val=`\x03\x99#&\xda\x06x\\x9e0\xb2Yu\x0f\xab\x09`\xbfW\x05K\xdd\xff\xde\xee\x11\x88\x97}\xab\xb8, is_query=0], 6003992326da06785c9e30b259750fab0960bf57054bddffdeee1188977dabb8 +RRSIG, [query=upenn.edu, answer_type=1, type_covered=43, algorithm=8, labels=2, orig_ttl=1.0 day, sig_exp=1538112220.0, sig_incep=1537503220.0, key_tag=50219, signer_name=edu, signature=\x9a\xd4`ppv\x154\x98\xe9\x9d\xf9#|\xa2\xb2v\xf6\x1dj\x1a\x07d\x8c\xd2\xea\xd8\xeeG`\x14=\xc33\xd4)\xb3C\xb9T\xe8r\xba.4\xcb\x96\xa7\xe3\x95\xf4#\xfd<"\xa8\x1c\x1b1R\x18\xd1\xac.x\xa0\xb1\xef\xf4\x163y\x85\xb4K\x0e\x84\xd2\x16\x05\x9et\xa7\xc5|\x0d9f\xd4\x8ea\xdd\x8d&\x863\x14\xd6i\xe6\xf6|%\xbf\xd8\x91\xb3\x87\xd1\x918r\x0a\xb8\x0e\x87\xdf?\xee\xf3Pyn\xdd=%\xd3p, is_query=0], 9ad460707076153498e99df9237ca2b276f61d6a1a07648cd2ead8ee4760143dc333d429b343b954e872ba2e34cb96a7e395f423fd3c22a81c1b315218d1ac2e78a0b1eff416337985b44b0e84d216059e74a7c57c0d3966d48e61dd8d26863314d669e6f67c25bfd891b387d19138720ab80e87df3feef350796edd3d25d370 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log index 6027ed71a7..2da5060368 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path dns -#open 2016-07-13-16-16-12 +#open 2018-09-21-21-07-55 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected #types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -1363716396.798072 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 0.000214 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F -1363716396.798374 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 - www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F -#close 2016-07-13-16-16-12 +1363716396.798072 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 0.000214 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F +1363716396.798374 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 - www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F +#close 2018-09-21-21-07-55 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log deleted file mode 100644 index e9d388f1fc..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path weird -#open 2017-12-13-19-40-49 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1363716396.798286 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 DNS_RR_unknown_type 46 F bro -#close 2017-12-13-19-40-49 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log new file mode 100644 index 0000000000..775f1bec02 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-09-21-21-04-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] +1533310046.924340 CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu,RRSIG 6 upenn.edu,RRSIG 47 upenn.edu - +1533310049.812056 ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F - - +#close 2018-09-21-21-04-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec/output b/testing/btest/Baseline/scripts.base.protocols.dns.nsec/output new file mode 100644 index 0000000000..91670ae832 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec/output @@ -0,0 +1,5 @@ +RRSIG, [query=upenn.edu, answer_type=2, type_covered=6, algorithm=5, labels=2, orig_ttl=1.0 hr, sig_exp=1535901996.0, sig_incep=1533306396.0, key_tag=50475, signer_name=upenn.edu, signature=\xdd=,iY\xd9\x0b\xdbmi\xc9L<\xdd\x03-\xaa\xda5Z\x1b\x0aK\x94.\x97p\xd8\x96\x7f\xa8*Cc\x9c\xa4\x86\xee\xd4\xc4\x0c\x88\x03v\xdf\x14\xef\x0c"|l\xfc)\xc7E\xd1I\xa3\x0dM/^\x98\xe9\xd8P\xbbDZ\xb1|z\xd5H8\xde\xf0\xeb\x14\x19\x99gm\xbdg\xbf\xe0\xe9CU\xf5_\xf0\x01\xe5\x1a\x8f7\x0e\x7foJ\xc1`\x09\xd9%\xc0x9\xe7\x81\xfco\xad\xa5\xd8\xfa\xf5I\xb6\x9f\xca\x9b#\xd9d\xd0, is_query=0], dd3d2c6959d90bdb6d69c94c3cdd032daada355a1b0a4b942e9770d8967fa82a43639ca486eed4c40c880376df14ef0c227c6cfc29c745d149a30d4d2f5e98e9d850bb445ab17c7ad54838def0eb141999676dbd67bfe0e94355f55ff001e51a8f370e7f6f4ac16009d925c07839e781fc6fada5d8faf549b69fca9b23d964d0 +NSEC, dlxssvr.library.upenn.edu, [@\x00\x00\x00\x00\x03] +400000000003 +RRSIG, [query=dla.library.upenn.edu, answer_type=2, type_covered=47, algorithm=5, labels=4, orig_ttl=1.0 hr, sig_exp=1534400915.0, sig_incep=1531807585.0, key_tag=50475, signer_name=upenn.edu, signature=\x9fhH\x95K7\xd5u\xa5\xbc\xf5\x17\xccM\xe3=T\xd05u\xfa\xea\xfa\xfe\x0eH-W\xbb\xa3l\xa9\xe2\x8f\xef\x05\xf0\xdc\xb1\xf2\xe8u\x8cd\xf72\x02\xfd;u\xde\x19\xe8\xda\xe9\x0aAVz!\xa7\xa5\xc2\x8d\xad\xa9\xe1\x87\x136\xd7\xfal\x827\xd1\xb1\xcd\x11c\x15F(\xd0=\x967\xc3\x1b, is_query=0], a4ac1814ca639d81bc6b5b351cf5334610f077ec2fb35a7be511fffcfd75a1a76fdd198247325dcb5bcdc75c3fa72cc8fa3bdb233dc408e0574a4a198750703cc9a845dc4db22ec150a4b7e147de3cb0a63e64f73202fd3b75de19e8dae90a41567a21a7a5c28dada9e1871336d7fa6c8237d1b1cd1163154628d03d9637c31b diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log new file mode 100644 index 0000000000..cf677e370f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-09-21-21-04-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] +1537560385.602565 CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net - +#close 2018-09-21-21-04-55 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/output b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/output new file mode 100644 index 0000000000..a9b81df281 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/output @@ -0,0 +1,5 @@ +NSEC3, [query=vlq247qi8p1tt3a8cgmd7glfndtigsdu.sshfp.net, answer_type=2, nsec_flags=0, nsec_hash_algo=1, nsec_iter=20, nsec_salt_len=16, nsec_salt=\x80c}\x8a\xf0U\xb5\xee\xca*b\x1e\xda\xaa<^, nsec_hlen=20, nsec_hash==\x8a>\xb6\x1a\x9d\xfa\x95\x1aB\xd7w\x9c\x1f\x15\x06\x85\xa0\x19G, bitmaps=[b\x01\x80\x08\x00\x02\x90], is_query=0], 80637d8af055b5eeca2a621edaaa3c5e, 3d8a3eb61a9dfa951a42d7779c1f150685a01947 +RRSIG, [query=vlq247qi8p1tt3a8cgmd7glfndtigsdu.sshfp.net, answer_type=2, type_covered=50, algorithm=10, labels=3, orig_ttl=3.0 mins, sig_exp=1538967745.0, sig_incep=1536374962.0, key_tag=31055, signer_name=sshfp.net, signature=es\xe2\x01:\x10B$|\x93\xdf\xc8\x8c\xc0\x0bk\x8e\x8f\xad\xf44y3\x81x\x11\xeb H\xef\xb5\x941^\xc4\xba\x91\x12\xb7\xcdHua"\xa6\x13o\xe1\x86\xc6z\x80\x9c\xc2\x00\x93\xe2\xaa@\x15YH\xea^0\xfd\xf0:\xbej-\xe2\xb9K\x87wN\xdc\xc3_\x0c\x0ew\x96c\xd2\x09\x0e;i\xbef\xb9\xc22\xdf#\xdfy\xa7\x9f\xc4S\x8d-\x84\xfa0\xd0\xbc\xf3|c3\x04\x9e*\xbd\x82\x9fC\x89`\x15V\x08o\xea\xd6\xd0I\xc5b\x94WpOJ\x82\x12Z\xd6A\xad\x1cV\xb5\x15sCv\xe2Tq>\xffU\x88Ji\xa7I\xd4\xc6$\xb8\xdd\xc1\x8a4_a\xd9\xb6\xdbk\xde\x80\xc7\xad\xea\x16\xe4\xf5\x09\xdd<\x8fR\xcb\x00\x04|\xbc\xc3\xae\xac\xd1+\xc0\xf7\xe3\xad\x09d\xd0!\xc4AL\xfd\xb0=p\x86\x84\x89\x18\xd8\xab\x9d\xbb\xf1\xe4\xd9\x8ak\xfc\xb8\x98a )\xffX\x0cj>D\xe9oi\xbfh\x13`\xfco%0\xc5O\xe2\xa2i\x1b, is_query=0], 6573e2013a1042247c93dfc88cc00b6b8e8fadf4347933817811eb2048efb594315ec4ba9112b7cd48756122a6136fe186c67a809cc20093e2aa40155948ea5e30fdf03abe6a2de2b94b87774edcc35f0c0e779663d2090e3b69be66b9c232df23df79a79fc4538d2d84fa30d0bcf37c6333049e2abd829f4389601556086fead6d049c5629457704f4a82125ad641ad1c56b515734376e254713eff55884a69a749d4c624b8ddc18a345f61d9b6db6bde80c7adea16e4f509dd3c8f52cb00047cbcc3aeacd12bc0f7e3ad0964d021c4414cfdb03d7086848918d8ab9dbbf1e4d98a6bfcb898612029ff580c6a3e44e96f69bf681360fc6f2530c54fe2a2691b +NSEC3, [query=l0oop5o98lf6fb7e620sabaqf0nctco6.sshfp.net, answer_type=2, nsec_flags=0, nsec_hash_algo=1, nsec_iter=20, nsec_salt_len=16, nsec_salt=\x80c}\x8a\xf0U\xb5\xee\xca*b\x1e\xda\xaa<^, nsec_hlen=20, nsec_hash=\xe6\x0f\x07\xa33z\x0c\xd9kaT^\x12D\x96\xfa\xe35K\xc6, bitmaps=[@\x00\x00\x08\x00\x02], is_query=0], 80637d8af055b5eeca2a621edaaa3c5e, e60f07a3337a0cd96b61545e124496fae3354bc6 +RRSIG, [query=l0oop5o98lf6fb7e620sabaqf0nctco6.sshfp.net, answer_type=2, type_covered=50, algorithm=10, labels=3, orig_ttl=3.0 mins, sig_exp=1539303070.0, sig_incep=1536708214.0, key_tag=31055, signer_name=sshfp.net, signature=V\xa0\x1f\xa69\xd4H\xffWQ1"n\x89\xc5\x14_\x15ow[\xfbv9h\xd4\xcfd|\xfc\x9f\x83Y\x0ax\x81D@\xb5\x9e\x8fQEp\x99\xb6\x91ovG\\x86\xf2W5\xe9\\x99-\xa6\x91\xe7\xd8\x96\x1e\xa9f\x0e\xc82\xde\xb1"\x1bu\x80cL\x95\x06\xae\x9a\x996\xe3\x98\xd6\x10\x1awJ\x0fX\x00z@\xd9\x0b\x93\xda\xcf\xe2i\x8f1\xf5\x99\xf1\xb3S|\x8b\x13\xf3\xed/\xab\xb8\x0b\x04\xc9\xe5Y/\xe7\xcb\x84\x03\xfaB\xf4C\xa5q\xfe\xd6\xed\xc7/\xbd&\xf2;\xad\xcb\xad\xb8q\xd0[O\xdaM\xcf\x89m\x8f\x983\x163\xdb\xf3?\xd6s\xb6D\xe2\x80v\x83M\x136\xd1\xb3>:p0B\xd8\x1d\x07\x87\\x99\x12V\x96\xeb\xb6%\xef^\xebS\xf0\xbb\x1fF\\xc3\x16\xe1\x16T\xa84 \x14\xac\xe7G\x0b:E\x98\x01U\xf8`\x15\xcc(\x83\x19\xce\xba\xb8\x18\xcd\xd5L, is_query=0], 56a01fa639d448ff575131226e89c5145f156f775bfb763968d4cf647cfc9f83590a78814440b59e8f51457099b6916f76475c86f25735e95c992da691e7d8961ea9660ec832deb1221b7580634c9506ae9a9936e398d6101a774a0f58007a40d90b93dacfe2698f31f599f1b3537c8b13f3ed2fabb80b04c9e5592fe7cb8403fa42f443a571fed6edc72fbd26f23badcbadb871d05b4fda4dcf896d8f98331633dbf33fd673b644e28076834d1336d1b33e3a703042d81d07875c99125696ebb625ef5eeb53f0bb1f465cc316e11654a8343c633661f6f889c4ceb481505d4430a53a0881aa3e2014ace7470b3a45980155f86015cc288319cebab818cdd54c +RRSIG, [query=sshfp.net, answer_type=2, type_covered=6, algorithm=10, labels=2, orig_ttl=1.0 day, sig_exp=1540066160.0, sig_incep=1537470560.0, key_tag=31055, signer_name=sshfp.net, signature=|\x9aJ\xc1\x8c\xc6\x0e\x051l1Jz<\x19\x07Xv\x06\xea\xe5\xf7n\x0b\x09\xc0K\xcf\xa1\x10\xb2\xfb\xa3\x84\xe3\xc9\xeer\xa1Z\x0a\x1a\xb6B\xb6-\x98\x8f\x97\xd4E*\x99a\x0cI\xba\xd3(\xdf\xbe\xaa\xd1\xd4\x1b\xcb\x8a\x96\xe8\xc6\x07\xf2W\xa3\xba\x15^\xf7;\xa9\x99\xeb`@\xe5F`\xcd\xc6\xb5aw\xd8\xc5bkl\xc1 \xa7\x93T\xaa\xbf\x15\x0e\xd8\xf8\x9cY\xdfe\xda\x811\x09\x9a\x10\x10S},E\x94]>\xc2\xecD9\x19\x9al\x9c[\x82\xf1'Ri\x8e\xb4\x0d*\xa4\x07D&%\xa5\xf1\xb18\xd6l\xd6\xee\xbe`\x06\x96\x8cU\xe6\x04y\x84\xf9[\x08\xb9\xb6\xe6P\xba?\x88F\x81I>\xb1\xef\xbf\x993\x0d[O}#s\x83\xa5\x14\xe7_\x98\xdd\xf5}\xf9A\xf1\x1e\xc0\x12\xed\x0b\xf3\x99\x91\x1ay\xaa;\xa4\xef&6\x86y`\xb4\xee\xf2u/\x9c\xda\xfc>\x8d\xdb\xaf\m\x8e]\xb2\xf8\xce\xd9\xa1\x8d\xe6<\xb8\xe5\xb9\x8cEd\x97\xdb\xbd, is_query=0], 7c9a4ac18cc60e05316c314a7a3c1907587606eae5f76e0b09c04bcfa110b2fba384e3c9ee72a15a0a1ab642b62d988f97d4452a99610c49bad328dfbeaad1d41bcb8a96e8c607f257a3ba155ef73ba999eb6040e54660cdc6b56177d8c5626b6cc120a79354aabf150ed8f89c59df65da8131099a1010537d2c45945d3ec2ec4439199a6c9c5b82f12752698eb40d2aa407442625a5f1b138d66cd6eebe6006968c55e6047984f95b08b9b6e650ba3f884681493eb1efbf99330d5b4f7d237383a514e75f98ddf57df941f11ec012ed0bf399911a79aa3ba4ef2636867960b4eef2752f9cdafc3e8ddbaf5c6d8e5db2f8ced9a18de63cb8e5b98c456497dbbd diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log new file mode 100644 index 0000000000..a0b84a3685 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-09-21-20-48-53 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1533309955.393636 ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F +1533309959.571738 C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F +1533309959.968589 CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F +1533309950.391966 CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F +#close 2018-09-21-20-48-53 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/output b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/output new file mode 100644 index 0000000000..ddeb34efd0 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/output @@ -0,0 +1,4 @@ +RRSIG, [query=virgo.sas.upenn.edu, answer_type=1, type_covered=1, algorithm=5, labels=4, orig_ttl=30.0 secs, sig_exp=1535441489.0, sig_incep=1532846032.0, key_tag=50475, signer_name=upenn.edu, signature=k:\xbd\\?)\xa4\x03\x1fw\xd4\x18#\x1d\\x9fV\xe6\xc5\x06w\xa7\x97\xb9\xc9\x7f\xa9\xe3<\xc8h\xf8\x81\xd5D\x09\Z\x19\x0a\xb7\x87`\x9d\xcbp\x9c\xcf\xcc\xf1#J\xc6\xd1P{\x11\xf5J\xcb\x02\x14n"y\x0e\xcb\x8f\x1cR\x14;B\x94]\xda\x9d~\x93\xe9\x96*U\xc7\xa7\xde\x02\xfeD\xbb\xab\xfa\xc2In\xed?\x8e\xe3D\xfb\xf1\xd3I\x9dj\xab\xcan\xa7\x16\xd4M]\xe0\xc5\xcbm\xf6\xd0\x8cAV\xaau\xa2\xd4, is_query=0], 6b3abd5c5c3f29a4031f77d418231d5c9f56e6c50677a797b9c97fa9e33cc868f881d544095c5a190ab787609dcb709ccfccf1234ac6d1507b11f54acb02146e22790ecb8f1c52143b42945dda9d7e93e9962a55c7a7de02fe44bbabfac2496eed3f8ee344fbf1d3499d6aabca6ea716d44d5de0c5cb6df6d08c4156aa75a2d4 +RRSIG, [query=virgo.sas.upenn.edu, answer_type=1, type_covered=1, algorithm=5, labels=4, orig_ttl=30.0 secs, sig_exp=1535441489.0, sig_incep=1532846032.0, key_tag=50475, signer_name=upenn.edu, signature=k:\xbd\\?)\xa4\x03\x1fw\xd4\x18#\x1d\\x9fV\xe6\xc5\x06w\xa7\x97\xb9\xc9\x7f\xa9\xe3<\xc8h\xf8\x81\xd5D\x09\Z\x19\x0a\xb7\x87`\x9d\xcbp\x9c\xcf\xcc\xf1#J\xc6\xd1P{\x11\xf5J\xcb\x02\x14n"y\x0e\xcb\x8f\x1cR\x14;B\x94]\xda\x9d~\x93\xe9\x96*U\xc7\xa7\xde\x02\xfeD\xbb\xab\xfa\xc2In\xed?\x8e\xe3D\xfb\xf1\xd3I\x9dj\xab\xcan\xa7\x16\xd4M]\xe0\xc5\xcbm\xf6\xd0\x8cAV\xaau\xa2\xd4, is_query=0], 6b3abd5c5c3f29a4031f77d418231d5c9f56e6c50677a797b9c97fa9e33cc868f881d544095c5a190ab787609dcb709ccfccf1234ac6d1507b11f54acb02146e22790ecb8f1c52143b42945dda9d7e93e9962a55c7a7de02fe44bbabfac2496eed3f8ee344fbf1d3499d6aabca6ea716d44d5de0c5cb6df6d08c4156aa75a2d4 +RRSIG, [query=workfamily.sas.upenn.edu, answer_type=1, type_covered=5, algorithm=5, labels=4, orig_ttl=15.0 mins, sig_exp=1534263016.0, sig_incep=1531669322.0, key_tag=50475, signer_name=upenn.edu, signature='I\xe2_d\xe4\xe6S\x85\xe5\x8a\xe2w\xcd\xd4\xe0\xc4j7<\xf8\x02\xf2\xc1\x07\x9d\x05\xe8\x84\x01\xe8|t\x98\x07\xdb5\xba\xf3T\xcc%\x91\x0d&\xe3\x8f\xfd@ZS\xf7\xf4\xa9\xe6\xe6\x13\x17\x99^\xd8\xa7g\xe2\xa5+\xcb\x9cyZ\xeb$4\xfd}\xa5\xe4N\xa8\xb9\xb63\x8a\xebe\x0f\xd8\x80\xd4\xa8\x13#S\xe57d\xd8\xd8\x08\xa2%\x0c\x99K\xa7!\x08\xac\x1byi!\xe0\xeb\x9cX\xfc\xd8E\xdeH\xf4\xad\xc8/#\x19a, is_query=0], 2749e25f64e4e65385e58ae277cdd4e0c46a373cf802f2c1079d05e88401e87c749807db35baf354cc25910d26e38ffd405a53f7f4a9e6e61317995ed8a767e2a52bcb9c795aeb2434fd7da5e44ea8b9b6338aeb650fd880d4a8132353e53764d8d808a2250c994ba72108ac1b796921e0eb9c58fcd845de48f4adc82f231961 +RRSIG, [query=quasar.sas.upenn.edu, answer_type=1, type_covered=1, algorithm=5, labels=4, orig_ttl=30.0 secs, sig_exp=1535438502.0, sig_incep=1532845422.0, key_tag=50475, signer_name=upenn.edu, signature=a8"\x80\xc3\x92\xa3\x83lu{H>\xd4\xc3H\x8d.\xb4\x96/E\x09\x99\x9d\x0c\x17\xdd\x10\xb8ZT&\xb1H\x10\x1ak,\x98\x0d\xaf\x8dx}\xac\xf9\x9asyf\xce\xf8L\x04\x06\xc5y\xc4A,\xf6|\xaa\xc3tG\xb6\xcc^\xae\x9e\xb2\xb6ok`V\x15b\xd6\xab\xa4\xe3\x04\xe6\x019\xaf\x9f\xb0\xf6yM {P\xb0C\xa0\x85CVR\xfd\x97@,\xe0\xad\xdc7\xa4\xfc\x12\xc4\xee2)\x12\xefIkk\xdaA11, is_query=0], 61382280c392a3836c757b483ed4c3488d2eb4962f4509999d0c17dd10b85a5426b148101a6b2c980daf8d787dacf99a737966cef84c0406c579c4412cf67caac37447b6cc5eae9eb2b66f6b60561562d6aba4e304e60139af9fb0f6794d207b50b043a085435652fd97402ce0addc37a4fc12c4ee322912ef496b6bda413131 diff --git a/testing/btest/Traces/dnssec/dnskey.pcap b/testing/btest/Traces/dnssec/dnskey.pcap new file mode 100644 index 0000000000..dba51610f6 Binary files /dev/null and b/testing/btest/Traces/dnssec/dnskey.pcap differ diff --git a/testing/btest/Traces/dns-dnskey.trace b/testing/btest/Traces/dnssec/dnskey2.pcap similarity index 100% rename from testing/btest/Traces/dns-dnskey.trace rename to testing/btest/Traces/dnssec/dnskey2.pcap diff --git a/testing/btest/Traces/dnssec/ds.pcap b/testing/btest/Traces/dnssec/ds.pcap new file mode 100644 index 0000000000..51a269fcf3 Binary files /dev/null and b/testing/btest/Traces/dnssec/ds.pcap differ diff --git a/testing/btest/Traces/dnssec/nsec.pcap b/testing/btest/Traces/dnssec/nsec.pcap new file mode 100644 index 0000000000..355b782f1d Binary files /dev/null and b/testing/btest/Traces/dnssec/nsec.pcap differ diff --git a/testing/btest/Traces/dnssec/nsec3.pcap b/testing/btest/Traces/dnssec/nsec3.pcap new file mode 100644 index 0000000000..8346c1f872 Binary files /dev/null and b/testing/btest/Traces/dnssec/nsec3.pcap differ diff --git a/testing/btest/Traces/dnssec/rrsig.pcap b/testing/btest/Traces/dnssec/rrsig.pcap new file mode 100644 index 0000000000..e9dbf73b96 Binary files /dev/null and b/testing/btest/Traces/dnssec/rrsig.pcap differ diff --git a/testing/btest/core/leaks/dns-nsec3.bro b/testing/btest/core/leaks/dns-nsec3.bro new file mode 100644 index 0000000000..16be0103e6 --- /dev/null +++ b/testing/btest/core/leaks/dns-nsec3.bro @@ -0,0 +1,40 @@ +# Needs perftools support. +# +# @TEST-GROUP: leaks +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -C -m -r $TRACES/dnssec/nsec3.pcap %INPUT +# @TEST-EXEC: btest-bg-wait 60 + +@load policy/protocols/dns/auth-addl + +event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) + { + print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature); + } + +event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) + { + print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key); + } + +event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) + { + print "NSEC", next_name, bitmaps; + + for ( i in bitmaps ) + print bytestring_to_hexstr(bitmaps[i]); + } + +event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) + { + print "NSEC3", nsec3, + bytestring_to_hexstr(nsec3$nsec_salt), + bytestring_to_hexstr(nsec3$nsec_hash); + } + +event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) + { + print "DS", ds, bytestring_to_hexstr(ds$digest_val); + } diff --git a/testing/btest/scripts/base/protocols/dns/dns-key.bro b/testing/btest/scripts/base/protocols/dns/dns-key.bro index c51788c605..4880ad3530 100644 --- a/testing/btest/scripts/base/protocols/dns/dns-key.bro +++ b/testing/btest/scripts/base/protocols/dns/dns-key.bro @@ -1,4 +1,4 @@ # Making sure DNSKEY gets logged as such. # -# @TEST-EXEC: bro -r $TRACES/dns-dnskey.trace +# @TEST-EXEC: bro -r $TRACES/dnssec/dnskey2.pcap # @TEST-EXEC: btest-diff dns.log diff --git a/testing/btest/scripts/base/protocols/dns/dnskey.bro b/testing/btest/scripts/base/protocols/dns/dnskey.bro new file mode 100644 index 0000000000..9297dc696a --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/dnskey.bro @@ -0,0 +1,35 @@ +# @TEST-EXEC: bro -C -r $TRACES/dnssec/dnskey.pcap %INPUT > output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output + +#@load policy/protocols/dns/auth-addl + +event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) + { + print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature); + } + +event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) + { + print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key); + } + +event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) + { + print "NSEC", next_name, bitmaps; + + for ( i in bitmaps ) + print bytestring_to_hexstr(bitmaps[i]); + } + +event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) + { + print "NSEC3", nsec3, + bytestring_to_hexstr(nsec3$nsec_salt), + bytestring_to_hexstr(nsec3$nsec_hash); + } + +event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) + { + print "DS", ds, bytestring_to_hexstr(ds$digest_val); + } diff --git a/testing/btest/scripts/base/protocols/dns/ds.bro b/testing/btest/scripts/base/protocols/dns/ds.bro new file mode 100644 index 0000000000..ecb90514cd --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/ds.bro @@ -0,0 +1,35 @@ +# @TEST-EXEC: bro -C -r $TRACES/dnssec/ds.pcap %INPUT > output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output + +#@load policy/protocols/dns/auth-addl + +event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) + { + print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature); + } + +event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) + { + print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key); + } + +event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) + { + print "NSEC", next_name, bitmaps; + + for ( i in bitmaps ) + print bytestring_to_hexstr(bitmaps[i]); + } + +event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) + { + print "NSEC3", nsec3, + bytestring_to_hexstr(nsec3$nsec_salt), + bytestring_to_hexstr(nsec3$nsec_hash); + } + +event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) + { + print "DS", ds, bytestring_to_hexstr(ds$digest_val); + } diff --git a/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro b/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro index a16235b9a5..e13b3b4807 100644 --- a/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro +++ b/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro @@ -2,4 +2,3 @@ # # @TEST-EXEC: bro -r $TRACES/dns-two-responses.trace # @TEST-EXEC: btest-diff dns.log -# @TEST-EXEC: btest-diff weird.log \ No newline at end of file diff --git a/testing/btest/scripts/base/protocols/dns/nsec.bro b/testing/btest/scripts/base/protocols/dns/nsec.bro new file mode 100644 index 0000000000..8d9b1c91a7 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/nsec.bro @@ -0,0 +1,35 @@ +# @TEST-EXEC: bro -C -r $TRACES/dnssec/nsec.pcap %INPUT > output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output + +@load policy/protocols/dns/auth-addl + +event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) + { + print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature); + } + +event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) + { + print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key); + } + +event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) + { + print "NSEC", next_name, bitmaps; + + for ( i in bitmaps ) + print bytestring_to_hexstr(bitmaps[i]); + } + +event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) + { + print "NSEC3", nsec3, + bytestring_to_hexstr(nsec3$nsec_salt), + bytestring_to_hexstr(nsec3$nsec_hash); + } + +event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) + { + print "DS", ds, bytestring_to_hexstr(ds$digest_val); + } diff --git a/testing/btest/scripts/base/protocols/dns/nsec3.bro b/testing/btest/scripts/base/protocols/dns/nsec3.bro new file mode 100644 index 0000000000..0710be8fea --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/nsec3.bro @@ -0,0 +1,35 @@ +# @TEST-EXEC: bro -C -r $TRACES/dnssec/nsec3.pcap %INPUT > output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output + +@load policy/protocols/dns/auth-addl + +event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) + { + print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature); + } + +event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) + { + print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key); + } + +event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) + { + print "NSEC", next_name, bitmaps; + + for ( i in bitmaps ) + print bytestring_to_hexstr(bitmaps[i]); + } + +event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) + { + print "NSEC3", nsec3, + bytestring_to_hexstr(nsec3$nsec_salt), + bytestring_to_hexstr(nsec3$nsec_hash); + } + +event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) + { + print "DS", ds, bytestring_to_hexstr(ds$digest_val); + } diff --git a/testing/btest/scripts/base/protocols/dns/rrsig.bro b/testing/btest/scripts/base/protocols/dns/rrsig.bro new file mode 100644 index 0000000000..32b958a789 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/rrsig.bro @@ -0,0 +1,35 @@ +# @TEST-EXEC: bro -C -r $TRACES/dnssec/rrsig.pcap %INPUT > output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output + +#@load policy/protocols/dns/auth-addl + +event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) + { + print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature); + } + +event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) + { + print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key); + } + +event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) + { + print "NSEC", next_name, bitmaps; + + for ( i in bitmaps ) + print bytestring_to_hexstr(bitmaps[i]); + } + +event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) + { + print "NSEC3", nsec3, + bytestring_to_hexstr(nsec3$nsec_salt), + bytestring_to_hexstr(nsec3$nsec_hash); + } + +event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) + { + print "DS", ds, bytestring_to_hexstr(ds$digest_val); + } diff --git a/testing/external/commit-hash.bro-testing b/testing/external/commit-hash.bro-testing index 5d8a6e7ff9..9bc4a8a8b9 100644 --- a/testing/external/commit-hash.bro-testing +++ b/testing/external/commit-hash.bro-testing @@ -1 +1 @@ -afac6ebba8eda2a8fcad0248ecb6e6dbd8be220f +b6dd014d2227695bff21eab627ba15528bf5151f