diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 07aeece67d..4532401717 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -2861,7 +2861,7 @@ global pkt_profile_file: file &redef; ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_message dns_query_reply dns_rejected dns_request +## dns_message dns_query_reply dns_rejected dns_request dns_dynamic_update type dns_msg: record { id: count; ##< Transaction ID. @@ -2877,10 +2877,12 @@ type dns_msg: record { AD: bool; ##< authentic data CD: bool; ##< checking disabled - num_queries: count; ##< Number of query records. - num_answers: count; ##< Number of answer records. - num_auth: count; ##< Number of authoritative records. + num_queries: count; ##< Number of query records. For dynamic update messages, this is the number of zones. + num_answers: count; ##< Number of answer records. For dynamic update messages, this is the number of prerequisites. + num_auth: count; ##< Number of authoritative records. For dynamic update messages, this is the number of updates. num_addl: count; ##< Number of additional records. + + is_netbios: bool; ##< Whether this message came from NetBIOS. }; ## A DNS SOA record. diff --git a/scripts/base/protocols/dns/consts.zeek b/scripts/base/protocols/dns/consts.zeek index e39b315c07..32f7aa8934 100644 --- a/scripts/base/protocols/dns/consts.zeek +++ b/scripts/base/protocols/dns/consts.zeek @@ -194,4 +194,25 @@ export { [5] = "ech", [6] = "ipv6hint", } &default = function(n: count): string { return fmt("key-%d", n); }; + + ## Mapping of DNS operation type codes to human readable string representation. + const opcodes = { + [0] = "query", + [1] = "iquery", + [2] = "server-status", + [4] = "notify", + [5] = "dynamic-update", + [6] = "dso", + } &default = function(n: count): string { return fmt("opcode-%d", n); }; + + ## Mapping of DNS operation type codes to human readable string representation for + ## NetBIOS Name Service (NBNS) queries. These codes are defined in + ## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1 + const netbios_opcodes = { + [0] = "netbios-query", + [5] = "netbios-registration", + [6] = "netbios-release", + [7] = "netbios-wack", + [8] = "netbios-refresh", + } &default = function(n: count): string { return fmt("netbios-opcode-%d", n); }; } diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek index 4ae48baaac..f39ec925b6 100644 --- a/scripts/base/protocols/dns/main.zeek +++ b/scripts/base/protocols/dns/main.zeek @@ -71,6 +71,10 @@ export { TTLs: vector of interval &log &optional; ## The DNS query was rejected by the server. rejected: bool &log &default=F; + ## The opcode value of the DNS request/response. + opcode: count &log &optional; + ## A descriptive string for the opcode. + opcode_name: string &log &optional; ## The total number of resource records in a reply message's ## answer section. @@ -343,11 +347,17 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 if ( msg$rcode != 0 && msg$num_queries == 0 ) c$dns$rejected = T; } + + c$dns$opcode = msg$opcode; + if ( msg$is_netbios ) + c$dns$opcode_name = netbios_opcodes[msg$opcode]; + else + c$dns$opcode_name = opcodes[msg$opcode]; } event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5 { - if ( msg$opcode != 0 ) + if ( msg$opcode != 0 && msg$opcode != 5 ) # Currently only standard queries are tracked. return; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 027c568550..e09a178023 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -74,13 +74,13 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { auto opcode = static_cast((flags & 0x7800) >> 11); // NetBIOS registration and release messages look like regular DNS requests, so parse them as such - if ( opcode != DNS_OP_QUERY && ! is_netbios ) { + if ( opcode != DNS_OP_QUERY && opcode != DNS_OP_DYNAMIC_UPDATE && ! is_netbios ) { analyzer->Weird("DNS_unknown_opcode", util::fmt("%d", opcode)); analyzer->Conn()->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); return; } - detail::DNS_MsgInfo msg(hdr, is_query); + detail::DNS_MsgInfo msg(hdr, is_query, is_netbios); if ( first_message && msg.QR && is_query == 1 ) { is_query = 0; @@ -98,7 +98,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { // There is a great deal of non-DNS traffic that runs on port 53. // This should weed out most of it. - if ( zeek::detail::dns_max_queries > 0 && msg.qdcount > zeek::detail::dns_max_queries ) { + if ( zeek::detail::dns_max_queries > 0 && msg.qd_zo_count > zeek::detail::dns_max_queries ) { analyzer->AnalyzerViolation("DNS_Conn_count_too_large"); analyzer->Weird("DNS_Conn_count_too_large"); EndMessage(&msg); @@ -110,26 +110,73 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { data += hdr_len; len -= hdr_len; - if ( ! ParseQuestions(&msg, data, len, msg_start) ) { - EndMessage(&msg); - return; - } + if ( msg.is_dynamic_update ) { + if ( msg.qd_zo_count != 1 ) { + // dynamic update events should only have a single zone in them. + analyzer->Weird("DNS_DU_invalid_zone_count", util::fmt("%d", msg.qd_zo_count)); + EndMessage(&msg); + return; + } - if ( ! ParseAnswers(&msg, msg.ancount, detail::DNS_ANSWER, data, len, msg_start) ) { - EndMessage(&msg); - return; + // Dynamic update looks like this: + // 1. A single "zone" that is just the first three fields of an SOA RR. It's + // required to be an SOA, so a weird is returned if not. + // 2. Zero or more "prerequisite" RRs that are required to be true in the zone + // before updates take place. + // 3. Zero or more "update" RRs that are the updates to be made to the zone. + // 4. Zero or more "additional" RRs that are unrelated to the updates. These are + // handled same to the other additional RRs with other op codes. + if ( ! ParseAnswerHeader(&msg, data, len, msg_start) ) { + EndMessage(&msg); + return; + } + + if ( msg.atype != detail::TYPE_SOA ) { + analyzer->Weird("DNS_DU_incorrect_zone_type"); + return; + } + + StringValPtr zname = msg.query_name; + uint32_t zclass = msg.aclass; + + if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_PREREQUISITES, data, len, msg_start) ) { + EndMessage(&msg); + return; + } + + if ( ! ParseAnswers(&msg, msg.ns_up_count, detail::DNS_UPDATES, data, len, msg_start) ) { + EndMessage(&msg); + return; + } + + // Send an event if the first three parts parsed correctly, since they're the + // actual update bits. + if ( dns_dynamic_update ) + analyzer->EnqueueConnEvent(dns_dynamic_update, analyzer->ConnVal(), msg.BuildHdrVal(), zname, + val_mgr->Count(zclass)); + } + else { + if ( ! ParseQuestions(&msg, data, len, msg_start) ) { + EndMessage(&msg); + return; + } + + if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_ANSWER, data, len, msg_start) ) { + EndMessage(&msg); + return; + } } analyzer->AnalyzerConfirmation(); bool skip_auth = (zeek::detail::dns_skip_all_auth != 0); bool skip_addl = (zeek::detail::dns_skip_all_addl != 0); - if ( msg.ancount > 0 ) { // We did an answer, so can potentially skip auth/addl. + if ( msg.an_pr_count > 0 ) { // We did an answer, so can potentially skip auth/addl. static auto dns_skip_auth = id::find_val("dns_skip_auth"); static auto dns_skip_addl = id::find_val("dns_skip_addl"); auto server = make_intrusive(analyzer->Conn()->RespAddr()); - skip_auth = skip_auth || msg.nscount == 0 || dns_skip_auth->FindOrDefault(server); + skip_auth = skip_auth || msg.ns_up_count == 0 || dns_skip_auth->FindOrDefault(server); skip_addl = skip_addl || msg.arcount == 0 || dns_skip_addl->FindOrDefault(server); } @@ -139,10 +186,13 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { return; } - msg.skip_event = skip_auth; - if ( ! ParseAnswers(&msg, msg.nscount, detail::DNS_AUTHORITY, data, len, msg_start) ) { - EndMessage(&msg); - return; + // Dynamic update doesn't have an authority section. + if ( ! msg.is_dynamic_update ) { + msg.skip_event = skip_auth; + if ( ! ParseAnswers(&msg, msg.ns_up_count, detail::DNS_AUTHORITY, data, len, msg_start) ) { + EndMessage(&msg); + return; + } } if ( skip_addl ) { @@ -166,7 +216,7 @@ void DNS_Interpreter::EndMessage(detail::DNS_MsgInfo* msg) { } bool DNS_Interpreter::ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) { - int n = msg->qdcount; + int n = msg->qd_zo_count; while ( n > 0 && ParseQuestion(msg, data, len, msg_start) ) --n; @@ -201,7 +251,7 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& dat if ( msg->QR == 0 ) dns_event = dns_request; - else if ( msg->QR == 1 && msg->ancount == 0 && msg->nscount == 0 && msg->arcount == 0 ) + else if ( msg->QR == 1 && msg->an_pr_count == 0 && msg->ns_up_count == 0 && msg->arcount == 0 ) // Service rejected in some fashion, and it won't be reported // via a returned RR because there aren't any. dns_event = dns_rejected; @@ -229,7 +279,8 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& dat return true; } -bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) { +bool DNS_Interpreter::ParseAnswerHeader(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, + const u_char* msg_start) { u_char name[513]; int name_len = sizeof(name) - 1; @@ -249,6 +300,14 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, msg->query_name = make_intrusive(new String(name, name_end - name, true)); msg->atype = static_cast(ExtractShort(data, len)); msg->aclass = ExtractShort(data, len); + + return true; +} + +bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) { + if ( ! ParseAnswerHeader(msg, data, len, msg_start) ) + return false; + msg->ttl = ExtractLong(data, len); auto rdlength = ExtractShort(data, len); @@ -256,7 +315,24 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, analyzer->Weird("DNS_truncated_RR_rdlength_lt_len"); return false; } - else if ( rdlength == 0 && len > 0 ) { + + if ( msg->is_dynamic_update ) { + // Read length and ttl can both be zero for dynamic updates, but only if the class is ANY or NONE. + if ( rdlength == 0 && msg->aclass != DNS_CLASS_ANY && msg->aclass != DNS_CLASS_NONE ) { + analyzer->Weird("DNS_zero_rdlength_update"); + return false; + } + else if ( msg->ttl == 0 && msg->aclass != DNS_CLASS_ANY && msg->aclass != DNS_CLASS_NONE ) { + analyzer->Weird("DNS_zero_ttl_update"); + return false; + } + } + + if ( rdlength == 0 && len > 0 ) { + if ( msg->is_dynamic_update ) + // See above for when this isn't allowed. + return true; + analyzer->Weird("DNS_zero_rdlength"); return false; } @@ -392,6 +468,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name, // Found terminating label. return false; + // If the label length is 0xc0, this is a pointer to another spot in the packet data. if ( (label_len & 0xc0) == 0xc0 ) { auto offset = (label_len & ~0xc0) << 8; @@ -422,6 +499,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name, name_len -= name_end - name; name = name_end; + // Returning false here causes the loop in ExtractName to exit. return false; } @@ -1789,7 +1867,8 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHand val_mgr->Count(qtype), val_mgr->Count(qclass), make_intrusive(original_name)); } -DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_is_query) { +DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query, bool arg_is_netbios) + : is_query(arg_is_query), is_netbios(arg_is_netbios) { // ### Need to fix alignment if hdr is misaligned (not on a short boundary). uint16_t flags = ntohs(hdr->flags); @@ -1804,12 +1883,13 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_i CD = (flags & 0x0010) >> 4; rcode = (flags & 0x000f); - qdcount = ntohs(hdr->qdcount); - ancount = ntohs(hdr->ancount); - nscount = ntohs(hdr->nscount); + qd_zo_count = ntohs(hdr->qd_zo_count); + an_pr_count = ntohs(hdr->an_pr_count); + ns_up_count = ntohs(hdr->ns_up_count); arcount = ntohs(hdr->arcount); id = ntohs(hdr->id); + is_dynamic_update = (opcode == DNS_OP_DYNAMIC_UPDATE && ! is_netbios); } RecordValPtr DNS_MsgInfo::BuildHdrVal() { @@ -1827,10 +1907,11 @@ RecordValPtr DNS_MsgInfo::BuildHdrVal() { r->Assign(8, Z); r->Assign(9, static_cast(AD)); r->Assign(10, static_cast(CD)); - r->Assign(11, qdcount); - r->Assign(12, ancount); - r->Assign(13, nscount); + r->Assign(11, qd_zo_count); + r->Assign(12, an_pr_count); + r->Assign(13, ns_up_count); r->Assign(14, arcount); + r->Assign(15, is_netbios); return r; } diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 27da813cfc..e86d7c6f55 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -15,6 +15,10 @@ enum DNS_Opcode : uint8_t { // DNS_OP_SERVER_STATUS = 3, ///< server status request DNS_OP_SERVER_STATUS = 2, ///< server status request + DNS_OP_NOTIFY = 4, ///< RFC 1996 + DNS_OP_DYNAMIC_UPDATE = 5, ///< RFC 2136 + DNS_OP_DSO = 6, ///< RFC 8490 + // Netbios operations (query = 0). NETBIOS_REGISTRATION = 5, NETBIOS_RELEASE = 6, @@ -29,6 +33,11 @@ enum DNS_Code : uint16_t { DNS_CODE_NAME_ERR = 3, ///< no such domain DNS_CODE_NOT_IMPL = 4, ///< not implemented DNS_CODE_REFUSED = 5, ///< refused + DNS_CODE_YXDOMAIN = 6, ///< name exists when it should not (RFC 2136) + DNS_CODE_YXRRSET = 7, ///< rr set exists when it should not (RFC 2136) + DNS_CODE_NXRRSET = 8, ///< rr set that should exist does not (RFC 2136) + DNS_CODE_NOTAUTH = 9, ///< server not authoritative for zone (RFC 2136), or not authorized (RFC 8945) + DNS_CODE_NOT_ZONE = 10, ///< name not contained in zone (RFC 2136) DNS_CODE_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits }; @@ -83,6 +92,7 @@ enum RR_Type : uint16_t { enum DNS_Class : uint16_t { DNS_CLASS_IN = 1, + DNS_CLASS_NONE = 254, ///< RFC2136 DNS_CLASS_ANY = 255, DNS_CLASS_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits }; @@ -92,6 +102,8 @@ enum DNS_AnswerType : uint8_t { DNS_ANSWER, DNS_AUTHORITY, DNS_ADDITIONAL, + DNS_PREREQUISITES, + DNS_UPDATES, }; // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml @@ -162,9 +174,9 @@ enum SVCPARAM_Key : uint8_t { struct DNS_RawMsgHdr { uint16_t id; uint16_t flags; - uint16_t qdcount; - uint16_t ancount; - uint16_t nscount; + uint16_t qd_zo_count; + uint16_t an_pr_count; + uint16_t ns_up_count; uint16_t arcount; }; @@ -282,9 +294,9 @@ struct SVCB_DATA { VectorValPtr svc_params; }; -class DNS_MsgInfo { +class DNS_MsgInfo final { public: - DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query); + DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query, bool is_netbios); RecordValPtr BuildHdrVal(); RecordValPtr BuildAnswerVal(); @@ -304,26 +316,28 @@ public: RecordValPtr BuildSVCB_Val(const struct SVCB_DATA&); uint16_t id; - uint8_t opcode; ///< query type, see DNS_Opcode - uint16_t rcode; ///< return code, see DNS_Code - bool QR; ///< query record flag - bool AA; ///< authoritative answer flag - bool TC; ///< truncated - size > 512 bytes for udp - bool RD; ///< recursion desired - bool RA; ///< recursion available - uint8_t Z; ///< 3 bit field (includes AD and CD) - bool AD; ///< authentic data - bool CD; ///< checking disabled - uint16_t qdcount; ///< number of questions - uint16_t ancount; ///< number of answers - uint16_t nscount; ///< number of authority RRs - uint16_t arcount; ///< number of additional RRs - bool is_query = false; ///< whether it came from the session initiator - bool skip_event = false; ///< if true, don't generate corresponding events + uint8_t opcode; ///< query type, see DNS_Opcode + uint16_t rcode; ///< return code, see DNS_Code + bool QR; ///< query record flag + bool AA; ///< authoritative answer flag + bool TC; ///< truncated - size > 512 bytes for udp + bool RD; ///< recursion desired + bool RA; ///< recursion available + uint8_t Z; ///< 3 bit field (includes AD and CD) + bool AD; ///< authentic data + bool CD; ///< checking disabled + uint16_t qd_zo_count; ///< number of questions (or zones for dynamic update) + uint16_t an_pr_count; ///< number of answers (or prerequisites for dynamic update) + uint16_t ns_up_count; ///< number of authority RRs (or updates for dynamic update) + uint16_t arcount; ///< number of additional RRs + bool is_query = false; ///< whether it came from the session initiator + bool skip_event = false; ///< if true, don't generate corresponding events + bool is_dynamic_update = false; ///< whether this message is a dynamic update + bool is_netbios = false; ///< whether this request is from netbios StringValPtr query_name; RR_Type atype = TYPE_ALL; - int aclass = 0; ///< normally = 1, inet + uint16_t aclass = 0; ///< normally = 1, inet uint32_t ttl = 0; DNS_AnswerType answer_type = DNS_QUESTION; @@ -337,7 +351,7 @@ public: void Timeout() {} -protected: +private: void EndMessage(detail::DNS_MsgInfo* msg); bool ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start); @@ -345,6 +359,7 @@ protected: int& len, const u_char* start); bool ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start); + bool ParseAnswerHeader(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start); bool ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start); u_char* ExtractName(const u_char*& data, int& len, u_char* label, int label_len, const u_char* msg_start, diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index f9bb501157..c5afb755e6 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -836,3 +836,16 @@ event dns_HTTPS%(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_r ## dns_rejected dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_end%(c: connection, msg: dns_msg%); + +## Generated for DNS Dynamic Update messages. See `RFC for Dynamic Updates in the Domain Name System (DNS UPDATE) = 0.63. +[id=47952, opcode=5, rcode=0, QR=F, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=1, is_netbios=F], stratolab.org, 1, C_INTERNET +[id=47952, opcode=5, rcode=5, QR=T, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=1, is_netbios=F], stratolab.org, 1, C_INTERNET +[id=61191, opcode=5, rcode=0, QR=F, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=0, is_netbios=F], stratolab.org, 1, C_INTERNET +[id=61191, opcode=5, rcode=0, QR=T, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=0, is_netbios=F], stratolab.org, 1, C_INTERNET diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log deleted file mode 100644 index 77bb64abc0..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log +++ /dev/null @@ -1,12 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path weird -#open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source -#types time string addr port addr port string string bool string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.105 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS -#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log index 15cefbf674..eb4c38becb 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.20.1.31 53 207.158.192.40 53 udp 25701 - us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.20.1.31 53 207.158.192.40 53 udp 25701 - us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout b/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout index b8a08b28b6..da0e2191d6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows +HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1, is_netbios=F], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log index d4fff0319d..bd560524f5 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 600.000000,600.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 600.000000,600.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log index 3e281dfacd..6e6ece5232 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.50 51946 68.142.255.16 53 udp 28079 - flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.50 51946 68.142.255.16 53 udp 28079 - flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.naptr/out b/testing/btest/Baseline/scripts.base.protocols.dns.naptr/out index 978e884e28..3146d6e353 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.naptr/out +++ b/testing/btest/Baseline/scripts.base.protocols.dns.naptr/out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -NAPTR, [id=20970, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=0], [answer_type=1, query=fp-de-carrier-vodafone.rcs.telephony.goog, qtype=35, qclass=1, TTL=2.0 mins 48.0 secs], [order=100, preference=100, flags=s, service=SIPS+D2T, regexp=, replacement=_sips._tcp.fp-de-carrier-vodafone.rcs.telephony.goog] +NAPTR, [id=20970, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=0, is_netbios=F], [answer_type=1, query=fp-de-carrier-vodafone.rcs.telephony.goog, qtype=35, qclass=1, TTL=2.0 mins 48.0 secs], [order=100, preference=100, flags=s, service=SIPS+D2T, regexp=, replacement=_sips._tcp.fp-de-carrier-vodafone.rcs.telephony.goog] diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log index 2158ba4db1..17d0935a2e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log @@ -5,8 +5,8 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu - -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F 0 query RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F 0 query - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log index a28155d58f..a66d5d7039 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F 0 query ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log index ef0bca3662..af633a7b8f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F 0 query - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log index b00dcbd4f9..b952e2573d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log @@ -5,10 +5,10 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F -XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F -XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F 0 query +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F 0 query +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F 0 query +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log index 0c4eca5dd4..aa5504a159 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.91.0.62 57806 10.91.1.59 53 udp 64161 - mail.vladg.net - - - - 0 NOERROR F F F T 0 SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all 300.000000,300.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.91.0.62 57806 10.91.1.59 53 udp 64161 - mail.vladg.net - - - - 0 NOERROR F F F T 0 SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all 300.000000,300.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log index b890435327..9830e5e79f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log @@ -5,8 +5,8 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000 F -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000 F 0 query +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log index 448fe06fb1..8ef367812e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 50138 192.168.1.108 53 tcp 52640 - 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5 1 C_INTERNET 249 TKEY 0 NOERROR F F F F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 50138 192.168.1.108 53 tcp 52640 - 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5 1 C_INTERNET 249 TKEY 0 NOERROR F F F F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log index 5cb0f62ae5..d565677c98 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F 0 query - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log index 0dfd8de2e2..3a9e0a6b31 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.64 49204 146.186.163.66 53 udp 17323 - psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.64 49204 146.186.163.66 53 udp 17323 - psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log index 9140a273a7..29bf6b8a02 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log +++ b/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected original_query -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.3.138 63374 192.168.3.1 53 udp 20877 - us.v27.distributed.net 1 C_INTERNET 1 A - - F F T F 2 - - F Us.V27.DiStRiBuTeD.NET +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name original_query +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.3.138 63374 192.168.3.1 53 udp 20877 - us.v27.distributed.net 1 C_INTERNET 1 A - - F F T F 2 - - F 0 query Us.V27.DiStRiBuTeD.NET #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/protocols/dns/dynamic-update.zeek b/testing/btest/scripts/base/protocols/dns/dynamic-update.zeek index 704ee0bb1a..dfc7de0a09 100644 --- a/testing/btest/scripts/base/protocols/dns/dynamic-update.zeek +++ b/testing/btest/scripts/base/protocols/dns/dynamic-update.zeek @@ -1,6 +1,12 @@ -# @TEST-DOC: Tests that a DNS dynamic update packet doesn't error but reports an unknown opcode weird -# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dynamic-update.pcap %INPUT -# @TEST-EXEC: btest-diff weird.log +# @TEST-DOC: Tests that a DNS dynamic update packet is processed. +# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dynamic-update.pcap %INPUT >out 2>&1 +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: ! test -f weird.log @load base/frameworks/notice/weird @load base/protocols/dns + +event dns_dynamic_update(c: connection, msg: dns_msg, zname: string, zclass: count) + { + print msg, zname, zclass, DNS::classes[zclass]; + } diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index f88d37e597..7758b32c42 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -31094f4840d0abc8fdf7f810e281851bd057931b +0f0a78fbe0bc690bede40da17d30c1fd2db273c6 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 0c6db43a2e..5f50ea511c 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -2b90a083a2b35a2a3c1d71ff92318c7a11263cd6 +80860e185460d347c969c04977fa7e99dff9eaab