Raise warnings when for DNS events that are not raised due to dns_skip_all_addl

By default, dns_skip_all_addl is set to false. This causes several events to not be raised. This change emits warnings when a user defines event handlers for events that will not be raised. Furthermore, it adds notes about this behavior to the documentation. We also introduce a new BIF, `is_event_handled`, which checks if an event is handled. Fixes GH-4061
2025-10-02 06:38:20 +00:00 · 2025-01-07 17:46:27 +00:00 · 2025-01-07 17:46:27 +00:00 · 9f72353a41
commit 9f72353a41
parent 87d9ecb743
7 changed files with 106 additions and 3 deletions
--- a/scripts/base/protocols/dns/load.zeek
+++ b/scripts/base/protocols/dns/load.zeek
@ -1,2 +1,3 @@
@load ./consts
@load ./main
+@load ./check-event-handlers
--- a/scripts/base/protocols/dns/check-event-handlers.zeek
+++ b/scripts/base/protocols/dns/check-event-handlers.zeek
@ -0,0 +1,19 @@
+##! This script checks if DNS event handlers that will not be raised
+##! are used and raises a warning in those cases.
+
+module DNS;
+
+event zeek_init() &priority=20
+	{
+	if ( ! dns_skip_all_addl )
+		return;
+
+	local addl_functions = ["dns_TSIG_addl", "dns_EDNS_addl", "dns_EDNS_ecs", "dns_EDNS_tcp_keepalive", "dns_EDNS_cookie"];
+
+	for ( event_name in addl_functions )
+		if ( is_event_handled(event_name) )
+			Reporter::warning(fmt("Used event '%s' will not be raised because 'dns_skip_all_addl' is true", event_name));
+
+	if ( is_event_handled("dns_TKEY") )
+		Reporter::warning("Used event 'dns_TKEY' will not contain any data in 'ans' because 'dns_skip_all_addl' is true");
+	}
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@ -496,6 +496,11 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## ans: The parsed EDNS reply.
 ##
+## .. note::
+##
+##      Note that this event will only be raised if ``dns_skip_all_addl``
+##      is set to false.
+##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
@ -519,6 +524,11 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ##
 ## opt: The parsed EDNS option.
 ##
+## .. note::
+##
+##      Note that this event will only be raised if ``dns_skip_all_addl``
+##      is set to false.
+##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
@ -544,6 +554,11 @@ event dns_EDNS_ecs%(c: connection, msg: dns_msg, opt: dns_edns_ecs%);
 ##
 ## opt: The parsed EDNS Keepalive option.
 ##
+## .. note::
+##
+##      Note that this event will only be raised if ``dns_skip_all_addl``
+##      is set to false.
+##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
@ -569,6 +584,11 @@ event dns_EDNS_tcp_keepalive%(c: connection, msg: dns_msg, opt: dns_edns_tcp_kee
 ##
 ## opt: The parsed EDNS Cookie option.
 ##
+## .. note::
+##
+##      Note that this event will only be raised if ``dns_skip_all_addl``
+##      is set to false.
+##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
 ##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
@ -592,6 +612,11 @@ event dns_EDNS_cookie%(c: connection, msg: dns_msg, opt: dns_edns_cookie%);
 ##
 ## ans: The parsed TKEY reply.
 ##
+## .. note::
+##
+##      Note that ``ans`` will only be populated if ``dns_skip_all_addl``
+##      is set to false.
+##
 ## .. zeek:see:: dns_TSIG_addl
 event dns_TKEY%(c: connection, msg: dns_msg, ans: dns_tkey%);

@ -608,6 +633,11 @@ event dns_TKEY%(c: connection, msg: dns_msg, ans: dns_tkey%);
 ## msg: The parsed DNS message header.
 ##
 ## ans: The parsed TSIG reply.
+#
+## .. note::
+##
+##      Note that this event will only be raised if ``dns_skip_all_addl``
+##      is set to false.
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
--- a/src/zeek.bif
+++ b/src/zeek.bif
@ -5015,6 +5015,22 @@ function generate_all_events%(%) : bool
 	return zeek::val_mgr->True();
 	%}

+## Check if an event is handled. Typically this means that a script defines an event.
+## This currently is mainly used to warn when events are defined that will not be used
+## in certain conditions.
+##
+## event_name: event name to check
+##
+## returns: true if the named event is handled.
+function is_event_handled%(event_name: string%) : bool
+	%{
+	auto *h = event_registry->Lookup(event_name->ToStdStringView());
+	if ( h && *h )
+		return zeek::val_mgr->True();
+
+	return zeek::val_mgr->False();
+	%}
+
 %%{
 // Autogenerated from CMake bif_target()
 #include "__all__.bif.cc"
--- a/testing/btest/Baseline/scripts.base.protocols.dns.event-handler-warning/.stderr
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.event-handler-warning/.stderr
@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning in <...>/check-event-handlers.zeek, line 15: Used event 'dns_EDNS_tcp_keepalive' will not be raised because 'dns_skip_all_addl' is true
+warning in <...>/check-event-handlers.zeek, line 15: Used event 'dns_EDNS_cookie' will not be raised because 'dns_skip_all_addl' is true
+warning in <...>/check-event-handlers.zeek, line 15: Used event 'dns_EDNS_ecs' will not be raised because 'dns_skip_all_addl' is true
+warning in <...>/check-event-handlers.zeek, line 15: Used event 'dns_EDNS_addl' will not be raised because 'dns_skip_all_addl' is true
+warning in <...>/check-event-handlers.zeek, line 18: Used event 'dns_TKEY' will not contain any data in 'ans' because 'dns_skip_all_addl' is true
--- a/testing/btest/scripts/base/protocols/dns/event-handler-warning.zeek
+++ b/testing/btest/scripts/base/protocols/dns/event-handler-warning.zeek
@ -0,0 +1,31 @@
+# Check that warnings are for events that will not be raised
+
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+@load base/protocols/dns
+
+event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
+	{
+	print "";
+	}
+
+event dns_EDNS_ecs(c: connection, msg: dns_msg, opt: dns_edns_ecs)
+	{
+	print "";
+	}
+
+event dns_EDNS_tcp_keepalive(c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive)
+	{
+	print "";
+	}
+
+event dns_EDNS_cookie(c: connection, msg: dns_msg, opt: dns_edns_cookie)
+	{
+	print "";
+	}
+
+event dns_TKEY(c: connection, msg: dns_msg, ans: dns_tkey)
+	{
+	print "";
+	}