BIT-788: use DNS QR field to better identify flow direction.

scripts/base/protocols/dns/main.bro

@@ -305,6 +305,9 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 
 	if ( ans$answer_type == DNS_ANS )
 		{
+		if ( ! c$dns?$query )
+			c$dns$query = ans$query;
+
 		c$dns$AA    = msg$AA;
 		c$dns$RA    = msg$RA;
 

src/analyzer/protocol/dns/DNS.cc

@@ -19,6 +19,7 @@ using namespace analyzer::dns;
 DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer)
 	{
 	analyzer = arg_analyzer;
+	first_message = true;
 	}
 
 int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
@@ -33,6 +34,16 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 
 	DNS_MsgInfo msg((DNS_RawMsgHdr*) data, is_query);
 
+	if ( first_message && msg.QR && is_query == 1 )
+		{
+		is_query = msg.is_query = 0;
+
+		if ( ! analyzer->Conn()->RespAddr().IsMulticast() )
+			analyzer->Conn()->FlipRoles();
+		}
+
+	first_message = false;
+
 	if ( dns_message )
 		{
 		val_list* vl = new val_list();
@@ -1064,7 +1075,8 @@ void Contents_DNS::Flush()
 	{
 	if ( buf_n > 0 )
 		{ // Deliver partial message.
-		interp->ParseMessage(msg_buf, buf_n, true);
+		// '2' here means whether it's a query is unknown.
+		interp->ParseMessage(msg_buf, buf_n, 2);
 		msg_size = 0;
 		}
 	}

src/analyzer/protocol/dns/DNS.h

@@ -220,6 +220,7 @@ protected:
 					BroString* question_name);
 
 	analyzer::Analyzer* analyzer;
+	bool first_message;
 };
 
 

testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2014-01-28-14-58-56
+#open	2015-03-19-15-44-23
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
 1363716396.798072	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
-1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	-	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
-#close	2014-01-28-14-58-56
+1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	www.cmu.edu	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+#close	2015-03-19-15-44-23

testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log

@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-03-18-17-30-43
+#open	2015-03-19-15-44-23
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1363716396.798286	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	DNS_RR_unknown_type	46	F	bro
 1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	dns_unmatched_reply	-	F	bro
 1363716396.798374	-	-	-	-	-	dns_unmatched_msg	-	F	bro
-#close	2015-03-18-17-30-44
+#close	2015-03-19-15-44-23

testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2015-03-19-16-50-45
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+964953086.310131	CXWv6p3arKYeMETxOg	10.20.1.31	53	207.158.192.40	53	udp	25701	us.v27.distributed.net	-	-	-	-	0	NOERROR	T	F	F	T	0	206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226	900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000	F
+#close	2015-03-19-16-50-45

testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2014-04-24-23-33-57
+#open	2015-03-19-15-44-24
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1398382067.286885	CXWv6p3arKYeMETxOg	192.150.187.50	51946	68.142.255.16	53	udp	28079	-	-	-	-	-	0	NOERROR	T	F	F	F	0	fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB	900.000000,900.000000,7200.000000	F
-#close	2014-04-24-23-33-57
+1398382067.286885	CXWv6p3arKYeMETxOg	192.150.187.50	51946	68.142.255.16	53	udp	28079	flkr._domainkey.flickr.com	-	-	-	-	0	NOERROR	T	F	F	F	0	fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB	900.000000,900.000000,7200.000000	F
+#close	2015-03-19-15-44-24

testing/btest/scripts/base/protocols/dns/flip.bro

@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -r $TRACES/dns53.pcap
+# @TEST-EXEC: btest-diff dns.log
+# If the DNS reply is seen first, should be able to correctly set orig/resp.