From 1d2b531062ac2d446ffdd092de13846174a21c03 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sat, 15 Aug 2020 08:35:59 -0400 Subject: [PATCH 01/14] initial adding EDNS TCP keepalive --- .gitignore | 5 ++- scripts/base/init-bare.zeek | 8 +++++ src/NetVar.cc | 1 + src/NetVar.h | 2 ++ src/analyzer/protocol/dns/DNS.cc | 53 ++++++++++++++++++++++++++-- src/analyzer/protocol/dns/DNS.h | 6 ++++ src/analyzer/protocol/dns/events.bif | 23 ++++++++++++ src/legacy-netvar-init.cc | 1 + 8 files changed, 96 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 8dacf57dc7..d962c792a4 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,7 @@ tmp # Configuration and build directories for CLion .idea -cmake-build-debug \ No newline at end of file +cmake-build-debug + +# skip DS Store for MacOS +.DS_Store diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index d99dbcc346..8a9ab7146f 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3700,6 +3700,14 @@ type dns_edns_ecs: record { address: string; ##< Client Subnet Address. }; +## An DNS EDNS TCP Keepalive (TCP_KA) record. +## +## .. zeek:see:: dns_EDNS_tcp_keepalive +type dns_edns_tcp_keepalive: record { + keepalive_timeout_omitted: bool; ##< Whether timeout value is omitted + keepalive_timeout: count; ##< Timeout value +}; + ## An additional DNS TSIG record. ## ## .. zeek:see:: dns_TSIG_addl diff --git a/src/NetVar.cc b/src/NetVar.cc index 7628f1d9eb..6b7099d570 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -108,6 +108,7 @@ zeek::RecordType* dns_answer; zeek::RecordType* dns_soa; zeek::RecordType* dns_edns_additional; zeek::RecordType* dns_edns_ecs; +zeek::RecordType* dns_edns_tcp_keepalive; zeek::RecordType* dns_tsig_additional; zeek::RecordType* dns_rrsig_rr; zeek::RecordType* dns_dnskey_rr; diff --git a/src/NetVar.h b/src/NetVar.h index 9c1017d96e..6d3e22c2ff 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -151,6 +151,8 @@ extern zeek::RecordType* dns_edns_additional; [[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_edns_ecs; [[deprecated("Remove in v4.1. Perform your own lookup.")]] +extern zeek::RecordType* dns_edns_tcp_keepalive; +[[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_tsig_additional; [[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_rrsig_rr; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index fb4c33954a..4610e0fcbb 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -253,6 +253,7 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, bool status; switch ( msg->atype ) { case TYPE_A: + // analyzer->Weird("parsing_A_record"); status = ParseRR_A(msg, data, len, rdlength); break; @@ -700,7 +701,6 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start) { - if ( dns_EDNS_addl && ! msg->skip_event ) analyzer->EnqueueConnEvent(dns_EDNS_addl, analyzer->ConnVal(), @@ -783,7 +783,45 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, msg->BuildEDNS_ECS_Val(&opt) ); break; - } + } // END EDNS ECS + + case TYPE_TCP_KA: + { + EDNS_TCP_KEEPALIVE edns_tcp_keepalive{ + .keepalive_timeout_omitted = true, + .keepalive_timeout = 0 + + }; + if ( option_len == 0 || option_len == 2) + { + // 0 bytes is permitted by RFC 7828, showing that the timeout value is missing. + if (option_len == 2) { + edns_tcp_keepalive.keepalive_timeout = ExtractShort(data, option_len); + edns_tcp_keepalive.keepalive_timeout_omitted = false; + } + + if (analyzer->Conn()->ConnTransport() == TRANSPORT_UDP) { + /* + * Based on RFC 7828, clients and servers MUST NOT negotiate + * TCP Keepalive timeout in DNS-over-UDP. + * Record in Weird and proceed to the next EDNS option + */ + analyzer->Weird("EDNS_TCP_Keepalive_Record_In_UDP"); + break; + } + analyzer->EnqueueConnEvent(dns_EDNS_tcp_keepalive, + analyzer->ConnVal(), + msg->BuildHdrVal(), + msg->BuildEDNS_TCP_KA_Val(&edns_tcp_keepalive) + ); + break; + } + else + { + break; // error. MUST BE 0 or 2 bytes + } + } // END EDNS TCP KEEPALIVE + default: { data += option_len; @@ -1604,6 +1642,17 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt) return r; } +zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt) + { + static auto dns_edns_tcp_keepalive = zeek::id::find_type("dns_edns_tcp_keepalive"); + auto r = zeek::make_intrusive(dns_edns_tcp_keepalive); + + r->Assign(0, zeek::val_mgr->Bool(opt->keepalive_timeout_omitted)); + r->Assign(1, zeek::val_mgr->Count(opt->keepalive_timeout)); + + return r; + } + zeek::RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) { static auto dns_tsig_additional = zeek::id::find_type("dns_tsig_additional"); diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index e74e1191b2..3752d5e36d 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -156,6 +156,11 @@ struct EDNS_ECS { zeek::IntrusivePtr ecs_addr; ///< EDNS client subnet address }; +struct EDNS_TCP_KEEPALIVE { + bool keepalive_timeout_omitted; // whether the keepalive timeout is omitted + uint16_t keepalive_timeout; // the timeout value sent by the client/server +}; + struct TSIG_DATA { zeek::String* alg_name; unsigned long time_s; @@ -211,6 +216,7 @@ public: zeek::RecordValPtr BuildAnswerVal(); zeek::RecordValPtr BuildEDNS_Val(); zeek::RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*); + zeek::RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*); zeek::RecordValPtr BuildTSIG_Val(struct TSIG_DATA*); zeek::RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*); zeek::RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*); diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index 31e9a11625..0468eb919b 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -528,6 +528,29 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_ecs%(c: connection, msg: dns_msg, opt: dns_edns_ecs%); +## Generated for DNS replies of type *EDNS*. For replies with multiple options, +## an individual event is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## opt: The parsed EDNS option. +## +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_EDNS_tcp_keepalive%(c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive%); + ## Generated for DNS replies of type *TSIG*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. ## diff --git a/src/legacy-netvar-init.cc b/src/legacy-netvar-init.cc index de4dc83972..eaa6b231ad 100644 --- a/src/legacy-netvar-init.cc +++ b/src/legacy-netvar-init.cc @@ -43,6 +43,7 @@ void zeek_legacy_netvar_init() ::dns_soa = zeek::id::find_type("dns_soa")->AsRecordType(); ::dns_edns_additional = zeek::id::find_type("dns_edns_additional")->AsRecordType(); ::dns_edns_ecs = zeek::id::find_type("dns_edns_ecs")->AsRecordType(); + ::dns_edns_tcp_keepalive = zeek::id::find_type("dns_edns_tcp_keepalive")->AsRecordType(); ::dns_tsig_additional = zeek::id::find_type("dns_tsig_additional")->AsRecordType(); ::dns_rrsig_rr = zeek::id::find_type("dns_rrsig_rr")->AsRecordType(); ::dns_dnskey_rr = zeek::id::find_type("dns_dnskey_rr")->AsRecordType(); From 7dcf974daf29a1d64c95d9815f504c5ce0d73b07 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sat, 15 Aug 2020 08:54:12 -0400 Subject: [PATCH 02/14] add units (100ms) to comments --- scripts/base/init-bare.zeek | 2 +- src/analyzer/protocol/dns/DNS.cc | 1 - src/analyzer/protocol/dns/DNS.h | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 8a9ab7146f..36aa4f6f4f 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3705,7 +3705,7 @@ type dns_edns_ecs: record { ## .. zeek:see:: dns_EDNS_tcp_keepalive type dns_edns_tcp_keepalive: record { keepalive_timeout_omitted: bool; ##< Whether timeout value is omitted - keepalive_timeout: count; ##< Timeout value + keepalive_timeout: count; ##< Timeout value, in 100ms }; ## An additional DNS TSIG record. diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 4610e0fcbb..58b0444b32 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -253,7 +253,6 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, bool status; switch ( msg->atype ) { case TYPE_A: - // analyzer->Weird("parsing_A_record"); status = ParseRR_A(msg, data, len, rdlength); break; diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 3752d5e36d..b0d6521a89 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -158,7 +158,7 @@ struct EDNS_ECS { struct EDNS_TCP_KEEPALIVE { bool keepalive_timeout_omitted; // whether the keepalive timeout is omitted - uint16_t keepalive_timeout; // the timeout value sent by the client/server + uint16_t keepalive_timeout; // the timeout value (in 100ms) sent by the client/server }; struct TSIG_DATA { From 84d609b333ea1571bcd04b4af361c503920e930b Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sat, 15 Aug 2020 10:49:43 -0400 Subject: [PATCH 03/14] add testcases --- src/analyzer/protocol/dns/DNS.cc | 63 +++++++++--------- .../output | 4 ++ .../btest/Traces/dns-edns-tcp-keepalive.pcap | Bin 0 -> 1998 bytes .../protocols/dns/dns-edns-tcp-keepalive.zeek | 8 +++ 4 files changed, 42 insertions(+), 33 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-tcp-keepalive/output create mode 100644 testing/btest/Traces/dns-edns-tcp-keepalive.pcap create mode 100644 testing/btest/scripts/base/protocols/dns/dns-edns-tcp-keepalive.zeek diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 58b0444b32..99c87c44e4 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -713,7 +713,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, uint16_t option_code = ExtractShort(data, len); int option_len = ExtractShort(data, len); // check for invalid option length - if ( (option_len > len) || (0 == option_len) ) { + if ( (option_len > len) ) { break; } len -= option_len; @@ -786,39 +786,36 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, case TYPE_TCP_KA: { - EDNS_TCP_KEEPALIVE edns_tcp_keepalive{ - .keepalive_timeout_omitted = true, - .keepalive_timeout = 0 - - }; - if ( option_len == 0 || option_len == 2) - { - // 0 bytes is permitted by RFC 7828, showing that the timeout value is missing. - if (option_len == 2) { - edns_tcp_keepalive.keepalive_timeout = ExtractShort(data, option_len); - edns_tcp_keepalive.keepalive_timeout_omitted = false; - } + EDNS_TCP_KEEPALIVE edns_tcp_keepalive{ + .keepalive_timeout_omitted = true, + .keepalive_timeout = 0 + }; + if ( option_len == 0 || option_len == 2) + { + // 0 bytes is permitted by RFC 7828, showing that the timeout value is missing. + if (option_len == 2) { + edns_tcp_keepalive.keepalive_timeout = ExtractShort(data, option_len); + edns_tcp_keepalive.keepalive_timeout_omitted = false; + } - if (analyzer->Conn()->ConnTransport() == TRANSPORT_UDP) { - /* - * Based on RFC 7828, clients and servers MUST NOT negotiate - * TCP Keepalive timeout in DNS-over-UDP. - * Record in Weird and proceed to the next EDNS option - */ - analyzer->Weird("EDNS_TCP_Keepalive_Record_In_UDP"); - break; - } - analyzer->EnqueueConnEvent(dns_EDNS_tcp_keepalive, - analyzer->ConnVal(), - msg->BuildHdrVal(), - msg->BuildEDNS_TCP_KA_Val(&edns_tcp_keepalive) - ); - break; - } - else - { - break; // error. MUST BE 0 or 2 bytes - } + if (analyzer->Conn()->ConnTransport() == TRANSPORT_UDP) { + /* + * Based on RFC 7828 (3.2.1/3.2.2), clients and servers MUST NOT + * negotiate TCP Keepalive timeout in DNS-over-UDP. + */ + analyzer->Weird("EDNS_TCP_Keepalive_Record_In_UDP"); + } + analyzer->EnqueueConnEvent(dns_EDNS_tcp_keepalive, + analyzer->ConnVal(), + msg->BuildHdrVal(), + msg->BuildEDNS_TCP_KA_Val(&edns_tcp_keepalive) + ); + break; + } + else + { + break; // error. MUST BE 0 or 2 bytes + } } // END EDNS TCP KEEPALIVE default: diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-tcp-keepalive/output b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-tcp-keepalive/output new file mode 100644 index 0000000000..1372490c4c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-tcp-keepalive/output @@ -0,0 +1,4 @@ +[keepalive_timeout_omitted=F, keepalive_timeout=10] +[keepalive_timeout_omitted=F, keepalive_timeout=370] +[keepalive_timeout_omitted=T, keepalive_timeout=0] +[keepalive_timeout_omitted=F, keepalive_timeout=370] \ No newline at end of file diff --git a/testing/btest/Traces/dns-edns-tcp-keepalive.pcap b/testing/btest/Traces/dns-edns-tcp-keepalive.pcap new file mode 100644 index 0000000000000000000000000000000000000000..07b5ab158146985abc74dddcb0dd1c7bffd953b3 GIT binary patch literal 1998 zcmbu8QAks96vofJ-sZjAvUy7}>A?pl7#JkeAT7i;p&;8pDFw+~S|cf0q?DC|D8Ytd zMXd6{uu}8IWKr15$QKD$5kd)WXc0aHAwsQ(#Ll^QyLawRa5eUaZFl_s-}jyK%}kCz zVu1to#Q}p~2AB36Uo101HGZb!-o`bdROQ&rUJtte6TehAU!wPOEUz!pS#J>?ZxTqiAIX(SrK8bpiRzw7&@Cdp+hgLh zX5Rxu^)3^chzEv^;6WN44bdGX-b+f%;j`YE*Ak)J)6V2cG2;WF!*#~h)_l@+BJG^} z6#hUD3Qc$uzC_RiKef$Qf4j$72?k(6PkN^Qs17yRS%T@5-QmRSx-mPu#{{(tWwIW0 z_XKlWCZcQA2tK@!j)vG1t3(i|29bl*ukKJitVgAFGeA>zY&HOmx<*zAcfTH?16m6&8YVJXX>30ZdHboA8h iH#cKhIt`emjWiy7rV=--QID=KORirj8taR6PQzbN4lHs2 literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/dns/dns-edns-tcp-keepalive.zeek b/testing/btest/scripts/base/protocols/dns/dns-edns-tcp-keepalive.zeek new file mode 100644 index 0000000000..2291bc68fe --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/dns-edns-tcp-keepalive.zeek @@ -0,0 +1,8 @@ +# @TEST-EXEC: zeek -C -r $TRACES/dns-edns-tcp-keepalive.pcap %INPUT > output +# @TEST-EXEC: btest-diff output +@load policy/protocols/dns/auth-addl + +event dns_EDNS_tcp_keepalive(c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive) + { + print opt; + } \ No newline at end of file From e121d89d4ed42a3f2688754a164c45e4790e94a4 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sat, 15 Aug 2020 10:51:35 -0400 Subject: [PATCH 04/14] lazy commit --- src/analyzer/protocol/dns/DNS.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 99c87c44e4..c3ddd92282 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -800,9 +800,9 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, if (analyzer->Conn()->ConnTransport() == TRANSPORT_UDP) { /* - * Based on RFC 7828 (3.2.1/3.2.2), clients and servers MUST NOT - * negotiate TCP Keepalive timeout in DNS-over-UDP. - */ + * Based on RFC 7828 (3.2.1/3.2.2), clients and servers MUST NOT + * negotiate TCP Keepalive timeout in DNS-over-UDP. + */ analyzer->Weird("EDNS_TCP_Keepalive_Record_In_UDP"); } analyzer->EnqueueConnEvent(dns_EDNS_tcp_keepalive, From 89af7d6d4e65d292d59b2651e219b264b788356b Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sat, 15 Aug 2020 10:52:53 -0400 Subject: [PATCH 05/14] lazy commit --- src/analyzer/protocol/dns/DNS.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index c3ddd92282..6b407204d8 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -814,7 +814,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, } else { - break; // error. MUST BE 0 or 2 bytes + break; // error. MUST BE 0 or 2 bytes } } // END EDNS TCP KEEPALIVE From c5b4311a823ef503046e3e264f4516fa12032135 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sat, 15 Aug 2020 10:59:30 -0400 Subject: [PATCH 06/14] lazy commit --- src/analyzer/protocol/dns/DNS.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 6b407204d8..d53abf8c9e 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -792,7 +792,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, }; if ( option_len == 0 || option_len == 2) { - // 0 bytes is permitted by RFC 7828, showing that the timeout value is missing. + // 0 bytes is permitted by RFC 7828, showing that the timeout value is omitted. if (option_len == 2) { edns_tcp_keepalive.keepalive_timeout = ExtractShort(data, option_len); edns_tcp_keepalive.keepalive_timeout_omitted = false; From 74efbd0abc4800d6c3f7d460d290cb472213f5f6 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sat, 15 Aug 2020 19:46:03 -0400 Subject: [PATCH 07/14] add EDNS cookie parsing --- scripts/base/init-bare.zeek | 8 ++++ scripts/base/protocols/dns/consts.zeek | 1 + src/NetVar.cc | 1 + src/NetVar.h | 2 + src/analyzer/protocol/dns/DNS.cc | 53 +++++++++++++++++++++++++- src/analyzer/protocol/dns/DNS.h | 8 ++++ src/analyzer/protocol/dns/events.bif | 23 +++++++++++ src/legacy-netvar-init.cc | 1 + 8 files changed, 95 insertions(+), 2 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 36aa4f6f4f..ff013721e7 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3708,6 +3708,14 @@ type dns_edns_tcp_keepalive: record { keepalive_timeout: count; ##< Timeout value, in 100ms }; +## An DNS EDNS COOKIE (COOKIE) record. +## +## .. zeek:see:: dns_EDNS_tcp_keepalive +type dns_edns_cookie: record { + client_cookie: string; ##< Cookie from the client (fixed 8 bytes) + server_cookie: string &default=""; ##< Cookie from the server (8 to 32 bytes) +}; + ## An additional DNS TSIG record. ## ## .. zeek:see:: dns_TSIG_addl diff --git a/scripts/base/protocols/dns/consts.zeek b/scripts/base/protocols/dns/consts.zeek index 38dd077ec5..2d39eefcb6 100644 --- a/scripts/base/protocols/dns/consts.zeek +++ b/scripts/base/protocols/dns/consts.zeek @@ -110,6 +110,7 @@ export { [20] = "BADNAME", # Duplicate key name [21] = "BADALG", # Algorithm not supported [22] = "BADTRUNC", # draft-ietf-dnsext-tsig-sha-05.txt + [23] = "BADCOOKIE", # Bad EDNS cookie value [3842] = "BADSIG", # 16 <= number collision with EDNS(16); # this is a translation from TSIG(16) } &default = function(n: count): string { return fmt("rcode-%d", n); }; diff --git a/src/NetVar.cc b/src/NetVar.cc index 6b7099d570..9244109b73 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -109,6 +109,7 @@ zeek::RecordType* dns_soa; zeek::RecordType* dns_edns_additional; zeek::RecordType* dns_edns_ecs; zeek::RecordType* dns_edns_tcp_keepalive; +zeek::RecordType* dns_edns_cookie; zeek::RecordType* dns_tsig_additional; zeek::RecordType* dns_rrsig_rr; zeek::RecordType* dns_dnskey_rr; diff --git a/src/NetVar.h b/src/NetVar.h index 6d3e22c2ff..37934629ce 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -153,6 +153,8 @@ extern zeek::RecordType* dns_edns_ecs; [[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_edns_tcp_keepalive; [[deprecated("Remove in v4.1. Perform your own lookup.")]] +extern zeek::RecordType* dns_edns_cookie; +[[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_tsig_additional; [[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_rrsig_rr; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index d53abf8c9e..85733ac287 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -810,14 +810,50 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, msg->BuildHdrVal(), msg->BuildEDNS_TCP_KA_Val(&edns_tcp_keepalive) ); - break; + } else { - break; // error. MUST BE 0 or 2 bytes + // error. MUST BE 0 or 2 bytes } + data += option_len; + break; } // END EDNS TCP KEEPALIVE + case TYPE_COOKIE: + { + EDNS_COOKIE cookie{}; + if (option_len != 8 && !(option_len >= 16 && option_len <= 40)) { + /* + * option length for DNS Cookie must be 8 bytes (with client cookie only) + * OR + * between 16 bytes to 40 bytes (with an 8 bytes client and an 8 to 32 bytes + * server cookie) + */ + break; + } + int remaining_cookie_len = option_len; + int client_cookie_len = 8; + + cookie.client_cookie = ExtractStream(data, client_cookie_len, client_cookie_len); + cookie.server_cookie = nullptr; + + remaining_cookie_len -= 8; + + if (remaining_cookie_len >= 8) { + cookie.server_cookie = ExtractStream(data, remaining_cookie_len, remaining_cookie_len); + } + + analyzer->EnqueueConnEvent(dns_EDNS_cookie, + analyzer->ConnVal(), + msg->BuildHdrVal(), + msg->BuildEDNS_COOKIE_Val(&cookie) + ); + + data += option_len; + break; + } // END EDNS COOKIE + default: { data += option_len; @@ -1649,6 +1685,19 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* return r; } +zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt) + { + static auto dns_edns_cookie = zeek::id::find_type("dns_edns_cookie"); + auto r = zeek::make_intrusive(dns_edns_cookie); + + r->Assign(0, zeek::make_intrusive(opt->client_cookie)); + if (opt->server_cookie != nullptr) { + r->Assign(1, zeek::make_intrusive(opt->server_cookie)); + } + + return r; + } + zeek::RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) { static auto dns_tsig_additional = zeek::id::find_type("dns_tsig_additional"); diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index b0d6521a89..c97d58db1f 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -29,6 +29,7 @@ typedef enum { DNS_CODE_NAME_ERR = 3, ///< no such domain DNS_CODE_NOT_IMPL = 4, ///< not implemented DNS_CODE_REFUSED = 5, ///< refused + DNS_CODE_BADCOOKIE = 23, ///< Bad cookie value (RFC 7873, IANA early allocation) } DNS_Code; typedef enum { @@ -92,6 +93,7 @@ typedef enum { TYPE_N3U = 7, ///< RFC6975 TYPE_ECS = 8, ///< RFC7871 TYPE_EXPIRE = 9, ///< RFC7314 + TYPE_COOKIE = 10, ///< RFC7873 TYPE_TCP_KA = 11, ///< RFC7828 TYPE_PAD = 12, ///< RFC7830 TYPE_CHAIN = 13, ///< RFC7901 @@ -161,6 +163,11 @@ struct EDNS_TCP_KEEPALIVE { uint16_t keepalive_timeout; // the timeout value (in 100ms) sent by the client/server }; +struct EDNS_COOKIE { + zeek::String* client_cookie; + zeek::String* server_cookie; +}; + struct TSIG_DATA { zeek::String* alg_name; unsigned long time_s; @@ -217,6 +224,7 @@ public: zeek::RecordValPtr BuildEDNS_Val(); zeek::RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*); zeek::RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*); + zeek::RecordValPtr BuildEDNS_COOKIE_Val(struct EDNS_COOKIE*); zeek::RecordValPtr BuildTSIG_Val(struct TSIG_DATA*); zeek::RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*); zeek::RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*); diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index 0468eb919b..2567a9de9f 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -551,6 +551,29 @@ event dns_EDNS_ecs%(c: connection, msg: dns_msg, opt: dns_edns_ecs%); ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_tcp_keepalive%(c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive%); +## Generated for DNS replies of type *EDNS*. For replies with multiple options, +## an individual event is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## opt: The parsed EDNS option. +## +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_EDNS_cookie%(c: connection, msg: dns_msg, opt: dns_edns_cookie%); + ## Generated for DNS replies of type *TSIG*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. ## diff --git a/src/legacy-netvar-init.cc b/src/legacy-netvar-init.cc index eaa6b231ad..572fe950bc 100644 --- a/src/legacy-netvar-init.cc +++ b/src/legacy-netvar-init.cc @@ -44,6 +44,7 @@ void zeek_legacy_netvar_init() ::dns_edns_additional = zeek::id::find_type("dns_edns_additional")->AsRecordType(); ::dns_edns_ecs = zeek::id::find_type("dns_edns_ecs")->AsRecordType(); ::dns_edns_tcp_keepalive = zeek::id::find_type("dns_edns_tcp_keepalive")->AsRecordType(); + ::dns_edns_cookie = zeek::id::find_type("dns_edns_cookie")->AsRecordType(); ::dns_tsig_additional = zeek::id::find_type("dns_tsig_additional")->AsRecordType(); ::dns_rrsig_rr = zeek::id::find_type("dns_rrsig_rr")->AsRecordType(); ::dns_dnskey_rr = zeek::id::find_type("dns_dnskey_rr")->AsRecordType(); From d75a385f8fc63448e82b7f49b5e50c5f01030f86 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sun, 16 Aug 2020 09:27:01 -0400 Subject: [PATCH 08/14] remove data+=option_len error in cookie and keepalive --- scripts/base/init-bare.zeek | 12 ++++++------ src/analyzer/protocol/dns/DNS.cc | 2 -- src/analyzer/protocol/dns/events.bif | 4 ++-- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index ff013721e7..2afbfc87c7 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3700,20 +3700,20 @@ type dns_edns_ecs: record { address: string; ##< Client Subnet Address. }; -## An DNS EDNS TCP Keepalive (TCP_KA) record. +## An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record. ## ## .. zeek:see:: dns_EDNS_tcp_keepalive type dns_edns_tcp_keepalive: record { - keepalive_timeout_omitted: bool; ##< Whether timeout value is omitted - keepalive_timeout: count; ##< Timeout value, in 100ms + keepalive_timeout_omitted: bool; ##< Whether timeout value is omitted. + keepalive_timeout: count; ##< Timeout value, in 100ms. }; ## An DNS EDNS COOKIE (COOKIE) record. ## -## .. zeek:see:: dns_EDNS_tcp_keepalive +## .. zeek:see:: dns_EDNS_cookie type dns_edns_cookie: record { - client_cookie: string; ##< Cookie from the client (fixed 8 bytes) - server_cookie: string &default=""; ##< Cookie from the server (8 to 32 bytes) + client_cookie: string; ##< Cookie from the client (fixed 8 bytes). + server_cookie: string &default=""; ##< Cookie from the server (8 to 32 bytes). }; ## An additional DNS TSIG record. diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 85733ac287..103610a578 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -816,7 +816,6 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, { // error. MUST BE 0 or 2 bytes } - data += option_len; break; } // END EDNS TCP KEEPALIVE @@ -850,7 +849,6 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, msg->BuildEDNS_COOKIE_Val(&cookie) ); - data += option_len; break; } // END EDNS COOKIE diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index 2567a9de9f..a3d437afe1 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -540,7 +540,7 @@ event dns_EDNS_ecs%(c: connection, msg: dns_msg, opt: dns_edns_ecs%); ## ## msg: The parsed DNS message header. ## -## opt: The parsed EDNS option. +## opt: The parsed EDNS Keepalive option. ## ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl @@ -563,7 +563,7 @@ event dns_EDNS_tcp_keepalive%(c: connection, msg: dns_msg, opt: dns_edns_tcp_kee ## ## msg: The parsed DNS message header. ## -## opt: The parsed EDNS option. +## opt: The parsed EDNS Cookie option. ## ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl From 28576d3a846446a3d261e12b637dee615ab92a60 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sun, 16 Aug 2020 10:45:00 -0400 Subject: [PATCH 09/14] add edns-cookie testcase --- .../output | 4 ++++ testing/btest/Traces/dns-edns-cookie.pcap | Bin 0 -> 1998 bytes .../base/protocols/dns/dns-edns-cookie.zeek | 8 ++++++++ 3 files changed, 12 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-cookie/output create mode 100644 testing/btest/Traces/dns-edns-cookie.pcap create mode 100644 testing/btest/scripts/base/protocols/dns/dns-edns-cookie.zeek diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-cookie/output b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-cookie/output new file mode 100644 index 0000000000..647a9fa22a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-cookie/output @@ -0,0 +1,4 @@ +[client_cookie=\xc8\x14\x98Z\x92\x8acB, server_cookie=] +[client_cookie=\xc8\x14\x98Z\x92\x8acB, server_cookie==\xcd>O{\xa9$z] +[client_cookie=1;Pl\x0b\xdd\x04s, server_cookie=] +[client_cookie=1;Pl\x0b\xdd\x04s, server_cookie=\xb0\xb1.E\xbahYl] \ No newline at end of file diff --git a/testing/btest/Traces/dns-edns-cookie.pcap b/testing/btest/Traces/dns-edns-cookie.pcap new file mode 100644 index 0000000000000000000000000000000000000000..07b5ab158146985abc74dddcb0dd1c7bffd953b3 GIT binary patch literal 1998 zcmbu8QAks96vofJ-sZjAvUy7}>A?pl7#JkeAT7i;p&;8pDFw+~S|cf0q?DC|D8Ytd zMXd6{uu}8IWKr15$QKD$5kd)WXc0aHAwsQ(#Ll^QyLawRa5eUaZFl_s-}jyK%}kCz zVu1to#Q}p~2AB36Uo101HGZb!-o`bdROQ&rUJtte6TehAU!wPOEUz!pS#J>?ZxTqiAIX(SrK8bpiRzw7&@Cdp+hgLh zX5Rxu^)3^chzEv^;6WN44bdGX-b+f%;j`YE*Ak)J)6V2cG2;WF!*#~h)_l@+BJG^} z6#hUD3Qc$uzC_RiKef$Qf4j$72?k(6PkN^Qs17yRS%T@5-QmRSx-mPu#{{(tWwIW0 z_XKlWCZcQA2tK@!j)vG1t3(i|29bl*ukKJitVgAFGeA>zY&HOmx<*zAcfTH?16m6&8YVJXX>30ZdHboA8h iH#cKhIt`emjWiy7rV=--QID=KORirj8taR6PQzbN4lHs2 literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/dns/dns-edns-cookie.zeek b/testing/btest/scripts/base/protocols/dns/dns-edns-cookie.zeek new file mode 100644 index 0000000000..6875099ec9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/dns-edns-cookie.zeek @@ -0,0 +1,8 @@ +# @TEST-EXEC: zeek -C -r $TRACES/dns-edns-cookie.pcap %INPUT > output +# @TEST-EXEC: btest-diff output +@load policy/protocols/dns/auth-addl + +event dns_EDNS_cookie(c: connection, msg: dns_msg, opt: dns_edns_cookie) + { + print opt; + } \ No newline at end of file From fe6efc85246c7ec2148bcff6096810ae2408a308 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sun, 16 Aug 2020 13:36:35 -0400 Subject: [PATCH 10/14] better explanation to server cookie --- scripts/base/init-bare.zeek | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 2afbfc87c7..81b0f85532 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3713,7 +3713,7 @@ type dns_edns_tcp_keepalive: record { ## .. zeek:see:: dns_EDNS_cookie type dns_edns_cookie: record { client_cookie: string; ##< Cookie from the client (fixed 8 bytes). - server_cookie: string &default=""; ##< Cookie from the server (8 to 32 bytes). + server_cookie: string &default=""; ##< Cookie from the server (0 bytes if missing, or 8 to 32 bytes). }; ## An additional DNS TSIG record. From 69c8b01f58771c21fdc46f0fecce5eb938bc5444 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sun, 16 Aug 2020 13:57:44 -0400 Subject: [PATCH 11/14] better explanation to server cookie --- src/analyzer/protocol/dns/DNS.h | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index c97d58db1f..02161128be 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -29,7 +29,6 @@ typedef enum { DNS_CODE_NAME_ERR = 3, ///< no such domain DNS_CODE_NOT_IMPL = 4, ///< not implemented DNS_CODE_REFUSED = 5, ///< refused - DNS_CODE_BADCOOKIE = 23, ///< Bad cookie value (RFC 7873, IANA early allocation) } DNS_Code; typedef enum { @@ -159,13 +158,13 @@ struct EDNS_ECS { }; struct EDNS_TCP_KEEPALIVE { - bool keepalive_timeout_omitted; // whether the keepalive timeout is omitted - uint16_t keepalive_timeout; // the timeout value (in 100ms) sent by the client/server + bool keepalive_timeout_omitted; ///< whether the keepalive timeout is omitted + uint16_t keepalive_timeout; ///< the timeout value (in 100ms) sent by the client/server }; struct EDNS_COOKIE { - zeek::String* client_cookie; - zeek::String* server_cookie; + zeek::String* client_cookie; ///< cookie value sent by the client (8 bytes) + zeek::String* server_cookie; ///< cookie value sent by the server (0 or 8-32 bytes) }; struct TSIG_DATA { From 3b3197106d36cced13d00aff6f504e1bd12b845e Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sun, 16 Aug 2020 22:54:12 -0400 Subject: [PATCH 12/14] add data+=option_len to skip unknown bytes --- src/analyzer/protocol/dns/DNS.cc | 34 +++++++++++++++++++------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 103610a578..3d8d8cc0ab 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -793,18 +793,21 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, if ( option_len == 0 || option_len == 2) { // 0 bytes is permitted by RFC 7828, showing that the timeout value is omitted. - if (option_len == 2) { + if (option_len == 2) + { edns_tcp_keepalive.keepalive_timeout = ExtractShort(data, option_len); edns_tcp_keepalive.keepalive_timeout_omitted = false; - } + } - if (analyzer->Conn()->ConnTransport() == TRANSPORT_UDP) { + if (analyzer->Conn()->ConnTransport() == TRANSPORT_UDP) + { /* * Based on RFC 7828 (3.2.1/3.2.2), clients and servers MUST NOT * negotiate TCP Keepalive timeout in DNS-over-UDP. */ - analyzer->Weird("EDNS_TCP_Keepalive_Record_In_UDP"); - } + analyzer->Weird("EDNS_TCP_Keepalive_In_UDP"); + } + analyzer->EnqueueConnEvent(dns_EDNS_tcp_keepalive, analyzer->ConnVal(), msg->BuildHdrVal(), @@ -814,7 +817,8 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, } else { - // error. MUST BE 0 or 2 bytes + // error. MUST BE 0 or 2 bytes. skip + data += option_len; } break; } // END EDNS TCP KEEPALIVE @@ -822,26 +826,28 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, case TYPE_COOKIE: { EDNS_COOKIE cookie{}; - if (option_len != 8 && !(option_len >= 16 && option_len <= 40)) { + if (option_len != 8 && ! (option_len >= 16 && option_len <= 40)) + { /* * option length for DNS Cookie must be 8 bytes (with client cookie only) * OR * between 16 bytes to 40 bytes (with an 8 bytes client and an 8 to 32 bytes * server cookie) */ + data += option_len; break; - } - int remaining_cookie_len = option_len; + } + int client_cookie_len = 8; + int server_cookie_len = option_len - client_cookie_len; cookie.client_cookie = ExtractStream(data, client_cookie_len, client_cookie_len); cookie.server_cookie = nullptr; - remaining_cookie_len -= 8; - - if (remaining_cookie_len >= 8) { - cookie.server_cookie = ExtractStream(data, remaining_cookie_len, remaining_cookie_len); - } + if (server_cookie_len >= 8) + { + cookie.server_cookie = ExtractStream(data, server_cookie_len, server_cookie_len); + } analyzer->EnqueueConnEvent(dns_EDNS_cookie, analyzer->ConnVal(), From 4a3396d5251c36e145736299d381572935b67254 Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Sun, 16 Aug 2020 23:50:48 -0400 Subject: [PATCH 13/14] add new line at the end of the test baseline --- .../Baseline/scripts.base.protocols.dns.dns-edns-cookie/output | 2 +- .../scripts.base.protocols.dns.dns-edns-tcp-keepalive/output | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-cookie/output b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-cookie/output index 647a9fa22a..96d28efa58 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-cookie/output +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-cookie/output @@ -1,4 +1,4 @@ [client_cookie=\xc8\x14\x98Z\x92\x8acB, server_cookie=] [client_cookie=\xc8\x14\x98Z\x92\x8acB, server_cookie==\xcd>O{\xa9$z] [client_cookie=1;Pl\x0b\xdd\x04s, server_cookie=] -[client_cookie=1;Pl\x0b\xdd\x04s, server_cookie=\xb0\xb1.E\xbahYl] \ No newline at end of file +[client_cookie=1;Pl\x0b\xdd\x04s, server_cookie=\xb0\xb1.E\xbahYl] diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-tcp-keepalive/output b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-tcp-keepalive/output index 1372490c4c..6b4149fa12 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-tcp-keepalive/output +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-edns-tcp-keepalive/output @@ -1,4 +1,4 @@ [keepalive_timeout_omitted=F, keepalive_timeout=10] [keepalive_timeout_omitted=F, keepalive_timeout=370] [keepalive_timeout_omitted=T, keepalive_timeout=0] -[keepalive_timeout_omitted=F, keepalive_timeout=370] \ No newline at end of file +[keepalive_timeout_omitted=F, keepalive_timeout=370] From 512361ce1243412cd7e6d08feb133754d3e668fd Mon Sep 17 00:00:00 2001 From: FlyingWithJerome Date: Thu, 20 Aug 2020 11:02:44 -0400 Subject: [PATCH 14/14] remove variables in netvar, use tabs in DNS.h and polish comments in dns events. --- src/NetVar.cc | 2 -- src/NetVar.h | 4 ---- src/analyzer/protocol/dns/DNS.h | 2 +- src/analyzer/protocol/dns/events.bif | 16 ++++++++++------ src/legacy-netvar-init.cc | 2 -- 5 files changed, 11 insertions(+), 15 deletions(-) diff --git a/src/NetVar.cc b/src/NetVar.cc index 9244109b73..7628f1d9eb 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -108,8 +108,6 @@ zeek::RecordType* dns_answer; zeek::RecordType* dns_soa; zeek::RecordType* dns_edns_additional; zeek::RecordType* dns_edns_ecs; -zeek::RecordType* dns_edns_tcp_keepalive; -zeek::RecordType* dns_edns_cookie; zeek::RecordType* dns_tsig_additional; zeek::RecordType* dns_rrsig_rr; zeek::RecordType* dns_dnskey_rr; diff --git a/src/NetVar.h b/src/NetVar.h index 37934629ce..9c1017d96e 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -151,10 +151,6 @@ extern zeek::RecordType* dns_edns_additional; [[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_edns_ecs; [[deprecated("Remove in v4.1. Perform your own lookup.")]] -extern zeek::RecordType* dns_edns_tcp_keepalive; -[[deprecated("Remove in v4.1. Perform your own lookup.")]] -extern zeek::RecordType* dns_edns_cookie; -[[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_tsig_additional; [[deprecated("Remove in v4.1. Perform your own lookup.")]] extern zeek::RecordType* dns_rrsig_rr; diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 02161128be..57b14e1e48 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -92,7 +92,7 @@ typedef enum { TYPE_N3U = 7, ///< RFC6975 TYPE_ECS = 8, ///< RFC7871 TYPE_EXPIRE = 9, ///< RFC7314 - TYPE_COOKIE = 10, ///< RFC7873 + TYPE_COOKIE = 10, ///< RFC7873 TYPE_TCP_KA = 11, ///< RFC7828 TYPE_PAD = 12, ///< RFC7830 TYPE_CHAIN = 13, ///< RFC7901 diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index a3d437afe1..a32a6966ba 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -528,11 +528,13 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_ecs%(c: connection, msg: dns_msg, opt: dns_edns_ecs%); -## Generated for DNS replies of type *EDNS*. For replies with multiple options, -## an individual event is raised for each. +## Generated for DNS replies of type *EDNS*, and an option field in this *EDNS* record has +## an opt-type of 11. For replies with multiple option fields, an individual event is +## raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS +## information about the DNS protocol. See `RFC7828 `__ for +## more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS ## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the @@ -551,11 +553,13 @@ event dns_EDNS_ecs%(c: connection, msg: dns_msg, opt: dns_edns_ecs%); ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_tcp_keepalive%(c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive%); -## Generated for DNS replies of type *EDNS*. For replies with multiple options, -## an individual event is raised for each. +## Generated for DNS replies of type *EDNS*, and an option field in this *EDNS* record has +## an opt-type of 10. For replies with multiple options fields, an individual event +## is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS +## information about the DNS protocol. See `RFC7873 `__ for +## more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS ## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the diff --git a/src/legacy-netvar-init.cc b/src/legacy-netvar-init.cc index 572fe950bc..de4dc83972 100644 --- a/src/legacy-netvar-init.cc +++ b/src/legacy-netvar-init.cc @@ -43,8 +43,6 @@ void zeek_legacy_netvar_init() ::dns_soa = zeek::id::find_type("dns_soa")->AsRecordType(); ::dns_edns_additional = zeek::id::find_type("dns_edns_additional")->AsRecordType(); ::dns_edns_ecs = zeek::id::find_type("dns_edns_ecs")->AsRecordType(); - ::dns_edns_tcp_keepalive = zeek::id::find_type("dns_edns_tcp_keepalive")->AsRecordType(); - ::dns_edns_cookie = zeek::id::find_type("dns_edns_cookie")->AsRecordType(); ::dns_tsig_additional = zeek::id::find_type("dns_tsig_additional")->AsRecordType(); ::dns_rrsig_rr = zeek::id::find_type("dns_rrsig_rr")->AsRecordType(); ::dns_dnskey_rr = zeek::id::find_type("dns_dnskey_rr")->AsRecordType();