Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

add EDNS cookie parsing

Browse source
This commit is contained in:
FlyingWithJerome 2020-08-15 19:46:03 -04:00
parent c5b4311a82
commit 74efbd0abc
8 changed files with 95 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

53
src/analyzer/protocol/dns/DNS.cc
View file

@ -810,14 +810,50 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
msg->BuildHdrVal(),
msg->BuildEDNS_TCP_KA_Val(&edns_tcp_keepalive)
);
break;
}
else
{
break; // error. MUST BE 0 or 2 bytes
// error. MUST BE 0 or 2 bytes
}
data += option_len;
break;
} // END EDNS TCP KEEPALIVE
case TYPE_COOKIE:
{
EDNS_COOKIE cookie{};
if (option_len != 8 && !(option_len >= 16 && option_len <= 40)) {
/*
* option length for DNS Cookie must be 8 bytes (with client cookie only)
* OR
* between 16 bytes to 40 bytes (with an 8 bytes client and an 8 to 32 bytes
* server cookie)
*/
break;
}
int remaining_cookie_len = option_len;
int client_cookie_len = 8;
cookie.client_cookie = ExtractStream(data, client_cookie_len, client_cookie_len);
cookie.server_cookie = nullptr;
remaining_cookie_len -= 8;
if (remaining_cookie_len >= 8) {
cookie.server_cookie = ExtractStream(data, remaining_cookie_len, remaining_cookie_len);
}
analyzer->EnqueueConnEvent(dns_EDNS_cookie,
analyzer->ConnVal(),
msg->BuildHdrVal(),
msg->BuildEDNS_COOKIE_Val(&cookie)
);
data += option_len;
break;
} // END EDNS COOKIE
default:
{
data += option_len;
@ -1649,6 +1685,19 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt)
{
static auto dns_edns_cookie = zeek::id::find_type<zeek::RecordType>("dns_edns_cookie");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_cookie);
r->Assign(0, zeek::make_intrusive<zeek::StringVal>(opt->client_cookie));
if (opt->server_cookie != nullptr) {
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(opt->server_cookie));
}
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
{
static auto dns_tsig_additional = zeek::id::find_type<zeek::RecordType>("dns_tsig_additional");