diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 83c9682e8c..b8bc6d4eae 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -305,6 +305,9 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) if ( ans$answer_type == DNS_ANS ) { + if ( ! c$dns?$query ) + c$dns$query = ans$query; + c$dns$AA = msg$AA; c$dns$RA = msg$RA; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 378fe449b6..0c5ef53000 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -19,6 +19,7 @@ using namespace analyzer::dns; DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; + first_message = true; } int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) @@ -33,6 +34,16 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) DNS_MsgInfo msg((DNS_RawMsgHdr*) data, is_query); + if ( first_message && msg.QR && is_query == 1 ) + { + is_query = msg.is_query = 0; + + if ( ! analyzer->Conn()->RespAddr().IsMulticast() ) + analyzer->Conn()->FlipRoles(); + } + + first_message = false; + if ( dns_message ) { val_list* vl = new val_list(); @@ -1064,7 +1075,8 @@ void Contents_DNS::Flush() { if ( buf_n > 0 ) { // Deliver partial message. - interp->ParseMessage(msg_buf, buf_n, true); + // '2' here means whether it's a query is unknown. + interp->ParseMessage(msg_buf, buf_n, 2); msg_size = 0; } } diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 2d95d979b8..59f51812ca 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -220,6 +220,7 @@ protected: BroString* question_name); analyzer::Analyzer* analyzer; + bool first_message; }; diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log index 6e2a0a4699..7e09f39404 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path dns -#open 2014-01-28-14-58-56 +#open 2015-03-19-15-44-23 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 1363716396.798072 CXWv6p3arKYeMETxOg 55.247.223.174 27285 222.195.43.124 53 udp 21140 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F -1363716396.798374 CXWv6p3arKYeMETxOg 55.247.223.174 27285 222.195.43.124 53 udp 21140 - - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F -#close 2014-01-28-14-58-56 +1363716396.798374 CXWv6p3arKYeMETxOg 55.247.223.174 27285 222.195.43.124 53 udp 21140 www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F +#close 2015-03-19-15-44-23 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log index 0592a777db..5b9f54dbf1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path weird -#open 2015-03-18-17-30-43 +#open 2015-03-19-15-44-23 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1363716396.798286 CXWv6p3arKYeMETxOg 55.247.223.174 27285 222.195.43.124 53 DNS_RR_unknown_type 46 F bro 1363716396.798374 CXWv6p3arKYeMETxOg 55.247.223.174 27285 222.195.43.124 53 dns_unmatched_reply - F bro 1363716396.798374 - - - - - dns_unmatched_msg - F bro -#close 2015-03-18-17-30-44 +#close 2015-03-19-15-44-23 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log new file mode 100644 index 0000000000..3a86abc5d6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2015-03-19-16-50-45 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +964953086.310131 CXWv6p3arKYeMETxOg 10.20.1.31 53 207.158.192.40 53 udp 25701 us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F +#close 2015-03-19-16-50-45 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log index ba73d16c82..eb95e1dcc8 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path dns -#open 2014-04-24-23-33-57 +#open 2015-03-19-15-44-24 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -1398382067.286885 CXWv6p3arKYeMETxOg 192.150.187.50 51946 68.142.255.16 53 udp 28079 - - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F -#close 2014-04-24-23-33-57 +1398382067.286885 CXWv6p3arKYeMETxOg 192.150.187.50 51946 68.142.255.16 53 udp 28079 flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F +#close 2015-03-19-15-44-24 diff --git a/testing/btest/Traces/dns53.pcap b/testing/btest/Traces/dns53.pcap new file mode 100644 index 0000000000..2d97acad74 Binary files /dev/null and b/testing/btest/Traces/dns53.pcap differ diff --git a/testing/btest/scripts/base/protocols/dns/flip.bro b/testing/btest/scripts/base/protocols/dns/flip.bro new file mode 100644 index 0000000000..66987ee27d --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/flip.bro @@ -0,0 +1,3 @@ +# @TEST-EXEC: bro -r $TRACES/dns53.pcap +# @TEST-EXEC: btest-diff dns.log +# If the DNS reply is seen first, should be able to correctly set orig/resp.