Merge 07804232e6 into 8b4707a284

scripts/base/init-bare.zeek

@@ -2861,7 +2861,7 @@ global pkt_profile_file: file &redef;
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
-##    dns_message dns_query_reply dns_rejected dns_request
+##    dns_message dns_query_reply dns_rejected dns_request dns_dynamic_update
 type dns_msg: record {
 	id: count;	##< Transaction ID.
 
@@ -2877,10 +2877,12 @@ type dns_msg: record {
 	AD: bool;	##< authentic data
 	CD: bool;	##< checking disabled
 
-	num_queries: count;	##< Number of query records.
-	num_answers: count;	##< Number of answer records.
-	num_auth: count;	##< Number of authoritative records.
+	num_queries: count;	##< Number of query records. For dynamic update messages, this is the number of zones.
+	num_answers: count;	##< Number of answer records. For dynamic update messages, this is the number of prerequisites.
+	num_auth: count;	##< Number of authoritative records. For dynamic update messages, this is the number of updates.
 	num_addl: count;	##< Number of additional records.
+
+	is_netbios: bool;	##< Whether this message came from NetBIOS.
 };
 
 ## A DNS SOA record.

scripts/base/protocols/dns/consts.zeek

@@ -194,4 +194,25 @@ export {
 		[5] = "ech",
 		[6] = "ipv6hint",
 	} &default = function(n: count): string { return fmt("key-%d", n); };
+
+	## Mapping of DNS operation type codes to human readable string representation.
+	const opcodes = {
+		[0] = "query",
+		[1] = "iquery",
+		[2] = "server-status",
+		[4] = "notify",
+		[5] = "dynamic-update",
+		[6] = "dso",
+	} &default = function(n: count): string { return fmt("opcode-%d", n); };
+
+	## Mapping of DNS operation type codes to human readable string representation for
+	## NetBIOS Name Service (NBNS) queries. These codes are defined in
+	## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1
+	const netbios_opcodes = {
+		[0] = "netbios-query",
+		[5] = "netbios-registration",
+		[6] = "netbios-release",
+		[7] = "netbios-wack",
+		[8] = "netbios-refresh",
+	} &default = function(n: count): string { return fmt("netbios-opcode-%d", n); };
 }

scripts/base/protocols/dns/main.zeek

@@ -71,6 +71,10 @@ export {
 		TTLs:          vector of interval &log &optional;
 		## The DNS query was rejected by the server.
 		rejected:      bool               &log &default=F;
+		## The opcode value of the DNS request/response.
+		opcode:        count              &log &optional;
+		## A descriptive string for the opcode.
+		opcode_name:   string             &log &optional;
 
 		## The total number of resource records in a reply message's
 		## answer section.
@@ -343,11 +347,17 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 		if ( msg$rcode != 0 && msg$num_queries == 0 )
 			c$dns$rejected = T;
 		}
+
+	c$dns$opcode = msg$opcode;
+	if ( msg$is_netbios )
+		c$dns$opcode_name = netbios_opcodes[msg$opcode];
+	else
+		c$dns$opcode_name = opcodes[msg$opcode];
 	}
 
 event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
 	{
-	if ( msg$opcode != 0 )
+	if ( msg$opcode != 0 && msg$opcode != 5 )
 		# Currently only standard queries are tracked.
 		return;