Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add skip_resp_host_port_pairs option.

Browse source
This commit is contained in:
jbaggs 2025-01-22 21:00:12 -08:00 committed by Johanna Amann
parent 280e7acc6e
commit 83926f60ce
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
scripts/policy/protocols/dns/detect-external-names.zeek
View file

@ -15,6 +15,9 @@ export {
## **must** be set appropriately for this detection. ## **must** be set appropriately for this detection.
External_Name, External_Name,
}; };
## Default is to ignore mDNS broadcasts.
option skip_resp_host_port_pairs: set[addr, port] = { [[224.0.0.251, [ff02::fb]], 5353/udp] };
} }
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3 event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3
@ -22,6 +25,9 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
if ( |Site::local_zones| == 0 ) if ( |Site::local_zones| == 0 )
return; return;
if ( [c$id$resp_h, c$id$resp_p] in skip_resp_host_port_pairs )
return;
# Check for responses from remote hosts that point at local hosts # Check for responses from remote hosts that point at local hosts
# but the name is not considered to be within a "local" zone. # but the name is not considered to be within a "local" zone.
if ( Site::is_local_addr(a) && # referring to a local host if ( Site::is_local_addr(a) && # referring to a local host