Merge branch 'fatemabw/bro' of https://github.com/fatemabw/bro into dev/2.7

* 'fatemabw/bro' of https://github.com/fatemabw/bro: DNSSEC support in Bro I made several changes: - renamed event/record types - reformatted the info added to dns.log - removed the "addl" scripts that added extended dnssec info to dns.log - simplifications/improvements to the internal parsing logic
2025-10-15 21:18:20 +00:00 · 2018-09-21 16:40:41 -05:00 · 2018-09-21 16:40:41 -05:00 · 71ef5c8428
commit 71ef5c8428
parent c2c5754e28 ff5c11975d
37 changed files with 1109 additions and 27 deletions
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@ -76,4 +76,37 @@ export {
 		[254] = "C_NONE",
 		[255] = "C_ANY",
 	} &default = function(n: count): string { return fmt("qclass-%d", n); };
+
+	## Possible values of the algorithms used in DNSKEY, DS and RRSIG records
+	const algorithms = {
+		[0] = "reserved0",
+		[1] = "RSA_MD5",
+		[2] = "Diffie_Hellman",
+		[3] = "DSA_SHA1",
+		[4] = "Elliptic_Curve",
+		[5] = "RSA_SHA1",
+		[6] = "DSA_NSEC3_SHA1",
+		[7] = "RSA_SHA1_NSEC3_SHA1",
+		[8] = "RSA_SHA256",
+		[10] = "RSA_SHA512",
+		[12] = "GOST_R_34_10_2001",
+		[13] = "ECDSA_curveP256withSHA256",
+		[14] = "ECDSA_curveP384withSHA384",
+		[15] = "Ed25519",
+		[16] = "Ed448",
+		[252] = "Indirect",
+		[253] = "PrivateDNS",
+		[254] = "PrivateOID",
+		[255] = "reserved255",
+	} &default = function(n: count): string { return fmt("algorithm-%d", n); };
+
+	## Possible digest types used in DNSSEC.
+	const digests = {
+		[0] = "reserved0",
+		[1] = "SHA1",
+		[2] = "SHA256",
+		[3] = "GOST_R_34_11_94",
+		[4] = "SHA384",
+	} &default = function(n: count): string { return fmt("digest-%d", n); };
+
 }
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -466,6 +466,38 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string
 #
 #	}

+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	local s: string;
+	s = fmt("RRSIG %s %s", rrsig$type_covered,
+	        rrsig$signer_name == "" ? "<Root>" : rrsig$signer_name);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	local s: string;
+	s = fmt("DNSKEY %s", dnskey$algorithm);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	hook DNS::do_reply(c, msg, ans, fmt("NSEC %s %s", ans$query, next_name));
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	hook DNS::do_reply(c, msg, ans, "NSEC3");
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	local s: string;
+	s = fmt("DS %s %s", ds$algorithm, ds$digest_type);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
 event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
 	if ( c?$dns )