Merge branch 'fatemabw/bro' of https://github.com/fatemabw/bro into dev/2.7

* 'fatemabw/bro' of https://github.com/fatemabw/bro: DNSSEC support in Bro I made several changes: - renamed event/record types - reformatted the info added to dns.log - removed the "addl" scripts that added extended dnssec info to dns.log - simplifications/improvements to the internal parsing logic
2025-10-15 04:58:21 +00:00 · 2018-09-21 16:40:41 -05:00 · 2018-09-21 16:40:41 -05:00 · 71ef5c8428
commit 71ef5c8428
parent c2c5754e28 ff5c11975d
37 changed files with 1109 additions and 27 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -3544,6 +3544,67 @@ type dns_tsig_additional: record {
 	is_query: count;	##< TODO.
 };

+## A DNSSEC RRSIG record.
+##
+## .. bro:see:: dns_RRSIG
+type dns_rrsig_rr: record {
+	query: string;			##< Query.
+	answer_type: count;		##< Ans type.
+	type_covered: count;	##< qtype covered by RRSIG RR.
+	algorithm: count;		##< Algorithm.
+	labels: count;			##< Labels in the owner's name.
+	orig_ttl: interval;		##< Original TTL.
+	sig_exp: time;			##< Time when signed RR expires.
+	sig_incep: time;		##< Time when signed.
+	key_tag: count;			##< Key tag value.
+	signer_name: string;	##< Signature.
+	signature: string;		##< Hash of the RRDATA.
+	is_query: count;		##< The RR is a query/Response.
+};
+
+## A DNSSEC DNSKEY record.
+##
+## .. bro:see:: dns_DNSKEY
+type dns_dnskey_rr: record {
+	query: string;		##< Query.
+	answer_type: count;	##< Ans type.
+	flags: count;		##< flags filed.
+	protocol: count;	##< Protocol, should be always 3 for DNSSEC.
+	algorithm: count;	##< Algorithm for Public Key.
+	public_key: string;	##< Public Key
+	is_query: count;	##< The RR is a query/Response.
+};
+
+## A DNSSEC NSEC3 record.
+##
+## .. bro:see:: dns_NSEC3
+type dns_nsec3_rr: record {
+	query: string;			##< Query.
+	answer_type: count;		##< Ans type.
+	nsec_flags: count;		##< flags field.
+	nsec_hash_algo: count;	##< Hash algorithm.
+	nsec_iter: count;		##< Iterations.
+	nsec_salt_len: count; 	##< Salt length.
+	nsec_salt: string;		##< Salt value
+	nsec_hlen: count;		##< Hash length.
+	nsec_hash: string;		##< Hash value.
+	bitmaps: string_vec;	##< Type Bit Maps.
+	is_query: count;		##< The RR is a query/Response.
+};
+
+## A DNSSEC DS record.
+##
+## .. bro:see:: dns_DS
+type dns_ds_rr: record {
+	query: string;		##< Query.
+	answer_type: count;	##< Ans type.
+	key_tag: count;		##< flags filed.
+	algorithm: count;	##< Algorithm for Public Key.
+	digest_type: count;	##< Digest Type.
+	digest_val: string;	##< Digest Value.
+	is_query: count;	##< The RR is a query/Response.
+};
+
 # DNS answer types.
 #
 # .. bro:see:: dns_answerr
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@ -76,4 +76,37 @@ export {
 		[254] = "C_NONE",
 		[255] = "C_ANY",
 	} &default = function(n: count): string { return fmt("qclass-%d", n); };
+
+	## Possible values of the algorithms used in DNSKEY, DS and RRSIG records
+	const algorithms = {
+		[0] = "reserved0",
+		[1] = "RSA_MD5",
+		[2] = "Diffie_Hellman",
+		[3] = "DSA_SHA1",
+		[4] = "Elliptic_Curve",
+		[5] = "RSA_SHA1",
+		[6] = "DSA_NSEC3_SHA1",
+		[7] = "RSA_SHA1_NSEC3_SHA1",
+		[8] = "RSA_SHA256",
+		[10] = "RSA_SHA512",
+		[12] = "GOST_R_34_10_2001",
+		[13] = "ECDSA_curveP256withSHA256",
+		[14] = "ECDSA_curveP384withSHA384",
+		[15] = "Ed25519",
+		[16] = "Ed448",
+		[252] = "Indirect",
+		[253] = "PrivateDNS",
+		[254] = "PrivateOID",
+		[255] = "reserved255",
+	} &default = function(n: count): string { return fmt("algorithm-%d", n); };
+
+	## Possible digest types used in DNSSEC.
+	const digests = {
+		[0] = "reserved0",
+		[1] = "SHA1",
+		[2] = "SHA256",
+		[3] = "GOST_R_34_11_94",
+		[4] = "SHA384",
+	} &default = function(n: count): string { return fmt("digest-%d", n); };
+
 }
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -466,6 +466,38 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string
 #
 #	}

+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	local s: string;
+	s = fmt("RRSIG %s %s", rrsig$type_covered,
+	        rrsig$signer_name == "" ? "<Root>" : rrsig$signer_name);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	local s: string;
+	s = fmt("DNSKEY %s", dnskey$algorithm);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	hook DNS::do_reply(c, msg, ans, fmt("NSEC %s %s", ans$query, next_name));
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	hook DNS::do_reply(c, msg, ans, "NSEC3");
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	local s: string;
+	s = fmt("DS %s %s", ds$algorithm, ds$digest_type);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
 event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
 	if ( c?$dns )