From 7a1a2c8d6342bab6957d6d923b48f32d7408bbf5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 4 Feb 2025 12:28:41 +0000
Subject: [PATCH] IPv6 support for detect-external-names and testcase

This commit builds on top of GH-4183 and adds IPv6 support for
policy/protocols/dns/detect-external-names.

Additionally it adds a test-case for this file testing it with mDNS
queries.
---
 .../protocols/dns/detect-external-names.zeek  |  12 +++++++-
 .../notice.log                                |  13 +++++++++
 .../notice.log                                |   1 +
 testing/btest/Traces/dns/mdns.pcap            | Bin 0 -> 5262 bytes
 .../detect-external-names-mdns-broadcast.zeek |  27 ++++++++++++++++++
 5 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast-2/notice.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast/notice.log
 create mode 100644 testing/btest/Traces/dns/mdns.pcap
 create mode 100644 testing/btest/scripts/policy/protocols/dns/detect-external-names-mdns-broadcast.zeek

diff --git a/scripts/policy/protocols/dns/detect-external-names.zeek b/scripts/policy/protocols/dns/detect-external-names.zeek
index 7913dce4df..78ec8829ab 100644
--- a/scripts/policy/protocols/dns/detect-external-names.zeek
+++ b/scripts/policy/protocols/dns/detect-external-names.zeek
@@ -20,7 +20,7 @@ export {
 	option skip_resp_host_port_pairs: set[addr, port] = { [[224.0.0.251, [ff02::fb]], 5353/udp] };
 }
 
-event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3
+function detect_external_names(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
 	{
 	if ( |Site::local_zones| == 0 )
 		return;
@@ -39,3 +39,13 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 		        $identifier=cat(a,ans$query)]);
 		}
 	}
+
+event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
+	{
+	detect_external_names(c, msg, ans, a);
+	}
+
+event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
+	{
+	detect_external_names(c, msg, ans, a);
+	}
diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast-2/notice.log b/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast-2/notice.log
new file mode 100644
index 0000000000..89adca5668
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast-2/notice.log
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4	5353	ff02::fb	5353	-	-	-	udp	DNS::External_Name	johanna-qemu-virtual-machine.local is pointing to a local host - fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4.	-	fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4	ff02::fb	5353	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4	5353	ff02::fb	5353	-	-	-	udp	DNS::External_Name	johanna-qemu-virtual-machine.local is pointing to a local host - fd52:429e:c03c:8235:5968:5bc6:1563:f82f.	-	fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4	ff02::fb	5353	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.2.7	5353	224.0.0.251	5353	-	-	-	udp	DNS::External_Name	johanna-qemu-virtual-machine.local is pointing to a local host - 10.0.2.7.	-	10.0.2.7	224.0.0.251	5353	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast/notice.log b/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast/notice.log
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast/notice.log
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Traces/dns/mdns.pcap b/testing/btest/Traces/dns/mdns.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..02eb4e84f890184278a38bf904e8f29bc403e340
GIT binary patch
literal 5262
zcmeI0?@Lor7{{M;y;Dia1oK5$pjjC-+MIW(`9ds(UJNYAXhQC`-zsyN!CsX~h4i8f
zg0M2O7eOFFLFCIDihn^^DT2QAMMX+wiLU3lyPLQDa%;m?Y?pI(?!D)pXZLfS?{m(x
zw-YZ%IpAUA!vn*UPv1tJBbOO;VVjD<fYs{FhUo><<c&E?{?G*wiv4S+njT3F1Hxd#
zw0|A%_&Myg@mVcdELjBM&3pNha*ywDd%b)|pVh1B?y-v90ENIbbn&88Ol>lK{0f6J
z_!Jce=R&6Qp&8(Wd8`rq#fGojfXkc5djT^!yRb7rqGrCJ8QmZcRrtD8qP*c!f^WF=
zU;*G78J9tpb@sSKk4My=Y&M<Nwz+%zE{WY*lW29hJ@(*Bm-Q27fF0osSq-x?8`gSe
z$HO5XM!aHW23CuQfZx^lP3JnS?W_*ZYp@8|%aP;u8hNqTD<W9M1}7Ctg%Dx!tgC%$
zr*-8pTA=Y9IGz#5&|__7=do3btvV)1o$8T@+Z1v;hQFUm`1CNrevhW7YL9w)Sb5VE
zg;6fO_W#WYX)}dAPZZb@B&_4~x;(c>E81+m(yef$@9ywmL@-ojq@@9|<wJ`ERRE2^
zxbI5}($c%=Xch32e4XWBHIFKwiCM-`%y>>kc4%c3lq_C>N?_~#)BuPf+0uH@;HV64
z!=x6w$)ktMnk>EgoIXnvvL(_^G)p7P$&>jZlc5pk6*5=Hax)Rk2-P^6jvdVGbFx|{
z)oKCZ4}#f2Qy$c#AgM$KGsY(t%ozWn1+f8;TOq(Sh9f_)gk+EXHVsLK0DDPhC_`5T
z@NI<AU{I3=Xf2WNagsS&&!7TOtg4<gVNN93j?Yqw2yZ6)8co=N$La}Vbq{OMR$u|Z
z0GA<Z5n-m4FeMC=DZu2IwK>2L>R~m&<WTD?3bIZsgh-~~v{icx;yA6NOLp4otkWu+
z9w`N<ZNFb2udwM@W#g}XLo?fx-W5cyeIGSNS&^khWQN?LI3jb}NM!r#vLZ`SWJ|aR
zugq|9at!BdLcMSOH`L|3pQ&?<G%mt{Ov(q9iELmbi?aLoL5$shtFrs|0Vi3odmuH7
zvWrPz=??z17$XIDIfV4+ESHvaceq@g?q(447IC}&JR`XSP1y@H9Xoe$J(X3ks#ZbL
wxx+G=8Mnks=v^~prgBzohW(pjOI=W*y;>C62E|55+r;$zxAb?2ZELvw0($}{P5=M^

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/policy/protocols/dns/detect-external-names-mdns-broadcast.zeek b/testing/btest/scripts/policy/protocols/dns/detect-external-names-mdns-broadcast.zeek
new file mode 100644
index 0000000000..4b1f35cd56
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/dns/detect-external-names-mdns-broadcast.zeek
@@ -0,0 +1,27 @@
+# Test verifies that mDNS broadcasts are not logged by default.
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/mdns.pcap %INPUT
+# @TEST-EXEC: touch notice.log
+# @TEST-EXEC: btest-diff notice.log
+
+##! First test - no log
+
+@load base/protocols/dns
+@load policy/protocols/dns/detect-external-names
+
+redef Site::local_zones +=  {"example.inalid"};
+
+@TEST-START-NEXT
+
+##! second test - should output log due to changed config
+
+@load base/protocols/dns
+@load policy/protocols/dns/detect-external-names
+@load base/frameworks/config
+
+redef Site::local_zones +=  {"example.inalid"};
+
+event zeek_init()
+	{
+	print Site::local_nets;
+	Config::set_value("DNS::skip_resp_host_port_pairs", set());
+	}