From 83926f60ce09db0c8b8c8f4a510d0a05970da184 Mon Sep 17 00:00:00 2001
From: jbaggs <jbaggs2016@gmail.com>
Date: Wed, 22 Jan 2025 21:00:12 -0800
Subject: [PATCH] Add  `skip_resp_host_port_pairs` option.

---
 scripts/policy/protocols/dns/detect-external-names.zeek | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/policy/protocols/dns/detect-external-names.zeek b/scripts/policy/protocols/dns/detect-external-names.zeek
index 8798df6361..7913dce4df 100644
--- a/scripts/policy/protocols/dns/detect-external-names.zeek
+++ b/scripts/policy/protocols/dns/detect-external-names.zeek
@@ -15,6 +15,9 @@ export {
 		## **must** be set appropriately for this detection.
 		External_Name,
 		};
+
+	## Default is to ignore mDNS broadcasts.
+	option skip_resp_host_port_pairs: set[addr, port] = { [[224.0.0.251, [ff02::fb]], 5353/udp] };
 }
 
 event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3
@@ -22,6 +25,9 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 	if ( |Site::local_zones| == 0 )
 		return;
 
+	if ( [c$id$resp_h, c$id$resp_p] in skip_resp_host_port_pairs )
+		return;
+
 	# Check for responses from remote hosts that point at local hosts
 	# but the name is not considered to be within a "local" zone.
 	if ( Site::is_local_addr(a) &&            # referring to a local host