mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge 07804232e6 into 8b4707a284
This commit is contained in:
Tim Wojtulewicz
GitHub
commit
a0a7f59530
38 changed files with 332 additions and 189 deletions
|
|
@ -2861,7 +2861,7 @@ global pkt_profile_file: file &redef;
|
||||||
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
||||||
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
||||||
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
|
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
|
||||||
## dns_message dns_query_reply dns_rejected dns_request
|
## dns_message dns_query_reply dns_rejected dns_request dns_dynamic_update
|
||||||
type dns_msg: record {
|
type dns_msg: record {
|
||||||
id: count; ##< Transaction ID.
|
id: count; ##< Transaction ID.
|
||||||
|
|
||||||
|
|
@ -2877,10 +2877,12 @@ type dns_msg: record {
|
||||||
AD: bool; ##< authentic data
|
AD: bool; ##< authentic data
|
||||||
CD: bool; ##< checking disabled
|
CD: bool; ##< checking disabled
|
||||||
|
|
||||||
num_queries: count; ##< Number of query records.
|
num_queries: count; ##< Number of query records. For dynamic update messages, this is the number of zones.
|
||||||
num_answers: count; ##< Number of answer records.
|
num_answers: count; ##< Number of answer records. For dynamic update messages, this is the number of prerequisites.
|
||||||
num_auth: count; ##< Number of authoritative records.
|
num_auth: count; ##< Number of authoritative records. For dynamic update messages, this is the number of updates.
|
||||||
num_addl: count; ##< Number of additional records.
|
num_addl: count; ##< Number of additional records.
|
||||||
|
|
||||||
|
is_netbios: bool; ##< Whether this message came from NetBIOS.
|
||||||
};
|
};
|
||||||
|
|
||||||
## A DNS SOA record.
|
## A DNS SOA record.
|
||||||
|
|
|
||||||
|
|
@ -194,4 +194,25 @@ export {
|
||||||
[5] = "ech",
|
[5] = "ech",
|
||||||
[6] = "ipv6hint",
|
[6] = "ipv6hint",
|
||||||
} &default = function(n: count): string { return fmt("key-%d", n); };
|
} &default = function(n: count): string { return fmt("key-%d", n); };
|
||||||
|
|
||||||
|
## Mapping of DNS operation type codes to human readable string representation.
|
||||||
|
const opcodes = {
|
||||||
|
[0] = "query",
|
||||||
|
[1] = "iquery",
|
||||||
|
[2] = "server-status",
|
||||||
|
[4] = "notify",
|
||||||
|
[5] = "dynamic-update",
|
||||||
|
[6] = "dso",
|
||||||
|
} &default = function(n: count): string { return fmt("opcode-%d", n); };
|
||||||
|
|
||||||
|
## Mapping of DNS operation type codes to human readable string representation for
|
||||||
|
## NetBIOS Name Service (NBNS) queries. These codes are defined in
|
||||||
|
## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1
|
||||||
|
const netbios_opcodes = {
|
||||||
|
[0] = "netbios-query",
|
||||||
|
[5] = "netbios-registration",
|
||||||
|
[6] = "netbios-release",
|
||||||
|
[7] = "netbios-wack",
|
||||||
|
[8] = "netbios-refresh",
|
||||||
|
} &default = function(n: count): string { return fmt("netbios-opcode-%d", n); };
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -71,6 +71,10 @@ export {
|
||||||
TTLs: vector of interval &log &optional;
|
TTLs: vector of interval &log &optional;
|
||||||
## The DNS query was rejected by the server.
|
## The DNS query was rejected by the server.
|
||||||
rejected: bool &log &default=F;
|
rejected: bool &log &default=F;
|
||||||
|
## The opcode value of the DNS request/response.
|
||||||
|
opcode: count &log &optional;
|
||||||
|
## A descriptive string for the opcode.
|
||||||
|
opcode_name: string &log &optional;
|
||||||
|
|
||||||
## The total number of resource records in a reply message's
|
## The total number of resource records in a reply message's
|
||||||
## answer section.
|
## answer section.
|
||||||
|
|
@ -343,11 +347,17 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
|
||||||
if ( msg$rcode != 0 && msg$num_queries == 0 )
|
if ( msg$rcode != 0 && msg$num_queries == 0 )
|
||||||
c$dns$rejected = T;
|
c$dns$rejected = T;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
c$dns$opcode = msg$opcode;
|
||||||
|
if ( msg$is_netbios )
|
||||||
|
c$dns$opcode_name = netbios_opcodes[msg$opcode];
|
||||||
|
else
|
||||||
|
c$dns$opcode_name = opcodes[msg$opcode];
|
||||||
}
|
}
|
||||||
|
|
||||||
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
|
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
|
||||||
{
|
{
|
||||||
if ( msg$opcode != 0 )
|
if ( msg$opcode != 0 && msg$opcode != 5 )
|
||||||
# Currently only standard queries are tracked.
|
# Currently only standard queries are tracked.
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -74,13 +74,13 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
|
||||||
auto opcode = static_cast<uint16_t>((flags & 0x7800) >> 11);
|
auto opcode = static_cast<uint16_t>((flags & 0x7800) >> 11);
|
||||||
|
|
||||||
// NetBIOS registration and release messages look like regular DNS requests, so parse them as such
|
// NetBIOS registration and release messages look like regular DNS requests, so parse them as such
|
||||||
if ( opcode != DNS_OP_QUERY && ! is_netbios ) {
|
if ( opcode != DNS_OP_QUERY && opcode != DNS_OP_DYNAMIC_UPDATE && ! is_netbios ) {
|
||||||
analyzer->Weird("DNS_unknown_opcode", util::fmt("%d", opcode));
|
analyzer->Weird("DNS_unknown_opcode", util::fmt("%d", opcode));
|
||||||
analyzer->Conn()->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X');
|
analyzer->Conn()->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
detail::DNS_MsgInfo msg(hdr, is_query);
|
detail::DNS_MsgInfo msg(hdr, is_query, is_netbios);
|
||||||
|
|
||||||
if ( first_message && msg.QR && is_query == 1 ) {
|
if ( first_message && msg.QR && is_query == 1 ) {
|
||||||
is_query = 0;
|
is_query = 0;
|
||||||
|
|
@ -98,7 +98,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
|
||||||
|
|
||||||
// There is a great deal of non-DNS traffic that runs on port 53.
|
// There is a great deal of non-DNS traffic that runs on port 53.
|
||||||
// This should weed out most of it.
|
// This should weed out most of it.
|
||||||
if ( zeek::detail::dns_max_queries > 0 && msg.qdcount > zeek::detail::dns_max_queries ) {
|
if ( zeek::detail::dns_max_queries > 0 && msg.qd_zo_count > zeek::detail::dns_max_queries ) {
|
||||||
analyzer->AnalyzerViolation("DNS_Conn_count_too_large");
|
analyzer->AnalyzerViolation("DNS_Conn_count_too_large");
|
||||||
analyzer->Weird("DNS_Conn_count_too_large");
|
analyzer->Weird("DNS_Conn_count_too_large");
|
||||||
EndMessage(&msg);
|
EndMessage(&msg);
|
||||||
|
|
@ -110,26 +110,73 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
|
||||||
data += hdr_len;
|
data += hdr_len;
|
||||||
len -= hdr_len;
|
len -= hdr_len;
|
||||||
|
|
||||||
if ( ! ParseQuestions(&msg, data, len, msg_start) ) {
|
if ( msg.is_dynamic_update ) {
|
||||||
EndMessage(&msg);
|
if ( msg.qd_zo_count != 1 ) {
|
||||||
return;
|
// dynamic update events should only have a single zone in them.
|
||||||
}
|
analyzer->Weird("DNS_DU_invalid_zone_count", util::fmt("%d", msg.qd_zo_count));
|
||||||
|
EndMessage(&msg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if ( ! ParseAnswers(&msg, msg.ancount, detail::DNS_ANSWER, data, len, msg_start) ) {
|
// Dynamic update looks like this:
|
||||||
EndMessage(&msg);
|
// 1. A single "zone" that is just the first three fields of an SOA RR. It's
|
||||||
return;
|
// required to be an SOA, so a weird is returned if not.
|
||||||
|
// 2. Zero or more "prerequisite" RRs that are required to be true in the zone
|
||||||
|
// before updates take place.
|
||||||
|
// 3. Zero or more "update" RRs that are the updates to be made to the zone.
|
||||||
|
// 4. Zero or more "additional" RRs that are unrelated to the updates. These are
|
||||||
|
// handled same to the other additional RRs with other op codes.
|
||||||
|
if ( ! ParseAnswerHeader(&msg, data, len, msg_start) ) {
|
||||||
|
EndMessage(&msg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( msg.atype != detail::TYPE_SOA ) {
|
||||||
|
analyzer->Weird("DNS_DU_incorrect_zone_type");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
StringValPtr zname = msg.query_name;
|
||||||
|
uint32_t zclass = msg.aclass;
|
||||||
|
|
||||||
|
if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_PREREQUISITES, data, len, msg_start) ) {
|
||||||
|
EndMessage(&msg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! ParseAnswers(&msg, msg.ns_up_count, detail::DNS_UPDATES, data, len, msg_start) ) {
|
||||||
|
EndMessage(&msg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Send an event if the first three parts parsed correctly, since they're the
|
||||||
|
// actual update bits.
|
||||||
|
if ( dns_dynamic_update )
|
||||||
|
analyzer->EnqueueConnEvent(dns_dynamic_update, analyzer->ConnVal(), msg.BuildHdrVal(), zname,
|
||||||
|
val_mgr->Count(zclass));
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
if ( ! ParseQuestions(&msg, data, len, msg_start) ) {
|
||||||
|
EndMessage(&msg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_ANSWER, data, len, msg_start) ) {
|
||||||
|
EndMessage(&msg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
analyzer->AnalyzerConfirmation();
|
analyzer->AnalyzerConfirmation();
|
||||||
|
|
||||||
bool skip_auth = (zeek::detail::dns_skip_all_auth != 0);
|
bool skip_auth = (zeek::detail::dns_skip_all_auth != 0);
|
||||||
bool skip_addl = (zeek::detail::dns_skip_all_addl != 0);
|
bool skip_addl = (zeek::detail::dns_skip_all_addl != 0);
|
||||||
if ( msg.ancount > 0 ) { // We did an answer, so can potentially skip auth/addl.
|
if ( msg.an_pr_count > 0 ) { // We did an answer, so can potentially skip auth/addl.
|
||||||
static auto dns_skip_auth = id::find_val<TableVal>("dns_skip_auth");
|
static auto dns_skip_auth = id::find_val<TableVal>("dns_skip_auth");
|
||||||
static auto dns_skip_addl = id::find_val<TableVal>("dns_skip_addl");
|
static auto dns_skip_addl = id::find_val<TableVal>("dns_skip_addl");
|
||||||
auto server = make_intrusive<AddrVal>(analyzer->Conn()->RespAddr());
|
auto server = make_intrusive<AddrVal>(analyzer->Conn()->RespAddr());
|
||||||
|
|
||||||
skip_auth = skip_auth || msg.nscount == 0 || dns_skip_auth->FindOrDefault(server);
|
skip_auth = skip_auth || msg.ns_up_count == 0 || dns_skip_auth->FindOrDefault(server);
|
||||||
skip_addl = skip_addl || msg.arcount == 0 || dns_skip_addl->FindOrDefault(server);
|
skip_addl = skip_addl || msg.arcount == 0 || dns_skip_addl->FindOrDefault(server);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -139,10 +186,13 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
msg.skip_event = skip_auth;
|
// Dynamic update doesn't have an authority section.
|
||||||
if ( ! ParseAnswers(&msg, msg.nscount, detail::DNS_AUTHORITY, data, len, msg_start) ) {
|
if ( ! msg.is_dynamic_update ) {
|
||||||
EndMessage(&msg);
|
msg.skip_event = skip_auth;
|
||||||
return;
|
if ( ! ParseAnswers(&msg, msg.ns_up_count, detail::DNS_AUTHORITY, data, len, msg_start) ) {
|
||||||
|
EndMessage(&msg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( skip_addl ) {
|
if ( skip_addl ) {
|
||||||
|
|
@ -166,7 +216,7 @@ void DNS_Interpreter::EndMessage(detail::DNS_MsgInfo* msg) {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool DNS_Interpreter::ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) {
|
bool DNS_Interpreter::ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) {
|
||||||
int n = msg->qdcount;
|
int n = msg->qd_zo_count;
|
||||||
|
|
||||||
while ( n > 0 && ParseQuestion(msg, data, len, msg_start) )
|
while ( n > 0 && ParseQuestion(msg, data, len, msg_start) )
|
||||||
--n;
|
--n;
|
||||||
|
|
@ -201,7 +251,7 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& dat
|
||||||
if ( msg->QR == 0 )
|
if ( msg->QR == 0 )
|
||||||
dns_event = dns_request;
|
dns_event = dns_request;
|
||||||
|
|
||||||
else if ( msg->QR == 1 && msg->ancount == 0 && msg->nscount == 0 && msg->arcount == 0 )
|
else if ( msg->QR == 1 && msg->an_pr_count == 0 && msg->ns_up_count == 0 && msg->arcount == 0 )
|
||||||
// Service rejected in some fashion, and it won't be reported
|
// Service rejected in some fashion, and it won't be reported
|
||||||
// via a returned RR because there aren't any.
|
// via a returned RR because there aren't any.
|
||||||
dns_event = dns_rejected;
|
dns_event = dns_rejected;
|
||||||
|
|
@ -229,7 +279,8 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& dat
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) {
|
bool DNS_Interpreter::ParseAnswerHeader(detail::DNS_MsgInfo* msg, const u_char*& data, int& len,
|
||||||
|
const u_char* msg_start) {
|
||||||
u_char name[513];
|
u_char name[513];
|
||||||
int name_len = sizeof(name) - 1;
|
int name_len = sizeof(name) - 1;
|
||||||
|
|
||||||
|
|
@ -249,6 +300,14 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
msg->query_name = make_intrusive<StringVal>(new String(name, name_end - name, true));
|
msg->query_name = make_intrusive<StringVal>(new String(name, name_end - name, true));
|
||||||
msg->atype = static_cast<detail::RR_Type>(ExtractShort(data, len));
|
msg->atype = static_cast<detail::RR_Type>(ExtractShort(data, len));
|
||||||
msg->aclass = ExtractShort(data, len);
|
msg->aclass = ExtractShort(data, len);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) {
|
||||||
|
if ( ! ParseAnswerHeader(msg, data, len, msg_start) )
|
||||||
|
return false;
|
||||||
|
|
||||||
msg->ttl = ExtractLong(data, len);
|
msg->ttl = ExtractLong(data, len);
|
||||||
|
|
||||||
auto rdlength = ExtractShort(data, len);
|
auto rdlength = ExtractShort(data, len);
|
||||||
|
|
@ -256,7 +315,24 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
|
||||||
analyzer->Weird("DNS_truncated_RR_rdlength_lt_len");
|
analyzer->Weird("DNS_truncated_RR_rdlength_lt_len");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
else if ( rdlength == 0 && len > 0 ) {
|
|
||||||
|
if ( msg->is_dynamic_update ) {
|
||||||
|
// Read length and ttl can both be zero for dynamic updates, but only if the class is ANY or NONE.
|
||||||
|
if ( rdlength == 0 && msg->aclass != DNS_CLASS_ANY && msg->aclass != DNS_CLASS_NONE ) {
|
||||||
|
analyzer->Weird("DNS_zero_rdlength_update");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
else if ( msg->ttl == 0 && msg->aclass != DNS_CLASS_ANY && msg->aclass != DNS_CLASS_NONE ) {
|
||||||
|
analyzer->Weird("DNS_zero_ttl_update");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( rdlength == 0 && len > 0 ) {
|
||||||
|
if ( msg->is_dynamic_update )
|
||||||
|
// See above for when this isn't allowed.
|
||||||
|
return true;
|
||||||
|
|
||||||
analyzer->Weird("DNS_zero_rdlength");
|
analyzer->Weird("DNS_zero_rdlength");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -392,6 +468,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
|
||||||
// Found terminating label.
|
// Found terminating label.
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
// If the label length is 0xc0, this is a pointer to another spot in the packet data.
|
||||||
if ( (label_len & 0xc0) == 0xc0 ) {
|
if ( (label_len & 0xc0) == 0xc0 ) {
|
||||||
auto offset = (label_len & ~0xc0) << 8;
|
auto offset = (label_len & ~0xc0) << 8;
|
||||||
|
|
||||||
|
|
@ -422,6 +499,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
|
||||||
name_len -= name_end - name;
|
name_len -= name_end - name;
|
||||||
name = name_end;
|
name = name_end;
|
||||||
|
|
||||||
|
// Returning false here causes the loop in ExtractName to exit.
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1789,7 +1867,8 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHand
|
||||||
val_mgr->Count(qtype), val_mgr->Count(qclass), make_intrusive<StringVal>(original_name));
|
val_mgr->Count(qtype), val_mgr->Count(qclass), make_intrusive<StringVal>(original_name));
|
||||||
}
|
}
|
||||||
|
|
||||||
DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_is_query) {
|
DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query, bool arg_is_netbios)
|
||||||
|
: is_query(arg_is_query), is_netbios(arg_is_netbios) {
|
||||||
// ### Need to fix alignment if hdr is misaligned (not on a short boundary).
|
// ### Need to fix alignment if hdr is misaligned (not on a short boundary).
|
||||||
uint16_t flags = ntohs(hdr->flags);
|
uint16_t flags = ntohs(hdr->flags);
|
||||||
|
|
||||||
|
|
@ -1804,12 +1883,13 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_i
|
||||||
CD = (flags & 0x0010) >> 4;
|
CD = (flags & 0x0010) >> 4;
|
||||||
rcode = (flags & 0x000f);
|
rcode = (flags & 0x000f);
|
||||||
|
|
||||||
qdcount = ntohs(hdr->qdcount);
|
qd_zo_count = ntohs(hdr->qd_zo_count);
|
||||||
ancount = ntohs(hdr->ancount);
|
an_pr_count = ntohs(hdr->an_pr_count);
|
||||||
nscount = ntohs(hdr->nscount);
|
ns_up_count = ntohs(hdr->ns_up_count);
|
||||||
arcount = ntohs(hdr->arcount);
|
arcount = ntohs(hdr->arcount);
|
||||||
|
|
||||||
id = ntohs(hdr->id);
|
id = ntohs(hdr->id);
|
||||||
|
is_dynamic_update = (opcode == DNS_OP_DYNAMIC_UPDATE && ! is_netbios);
|
||||||
}
|
}
|
||||||
|
|
||||||
RecordValPtr DNS_MsgInfo::BuildHdrVal() {
|
RecordValPtr DNS_MsgInfo::BuildHdrVal() {
|
||||||
|
|
@ -1827,10 +1907,11 @@ RecordValPtr DNS_MsgInfo::BuildHdrVal() {
|
||||||
r->Assign(8, Z);
|
r->Assign(8, Z);
|
||||||
r->Assign(9, static_cast<bool>(AD));
|
r->Assign(9, static_cast<bool>(AD));
|
||||||
r->Assign(10, static_cast<bool>(CD));
|
r->Assign(10, static_cast<bool>(CD));
|
||||||
r->Assign(11, qdcount);
|
r->Assign(11, qd_zo_count);
|
||||||
r->Assign(12, ancount);
|
r->Assign(12, an_pr_count);
|
||||||
r->Assign(13, nscount);
|
r->Assign(13, ns_up_count);
|
||||||
r->Assign(14, arcount);
|
r->Assign(14, arcount);
|
||||||
|
r->Assign(15, is_netbios);
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,10 @@ enum DNS_Opcode : uint8_t {
|
||||||
// DNS_OP_SERVER_STATUS = 3, ///< server status request
|
// DNS_OP_SERVER_STATUS = 3, ///< server status request
|
||||||
DNS_OP_SERVER_STATUS = 2, ///< server status request
|
DNS_OP_SERVER_STATUS = 2, ///< server status request
|
||||||
|
|
||||||
|
DNS_OP_NOTIFY = 4, ///< RFC 1996
|
||||||
|
DNS_OP_DYNAMIC_UPDATE = 5, ///< RFC 2136
|
||||||
|
DNS_OP_DSO = 6, ///< RFC 8490
|
||||||
|
|
||||||
// Netbios operations (query = 0).
|
// Netbios operations (query = 0).
|
||||||
NETBIOS_REGISTRATION = 5,
|
NETBIOS_REGISTRATION = 5,
|
||||||
NETBIOS_RELEASE = 6,
|
NETBIOS_RELEASE = 6,
|
||||||
|
|
@ -29,6 +33,11 @@ enum DNS_Code : uint16_t {
|
||||||
DNS_CODE_NAME_ERR = 3, ///< no such domain
|
DNS_CODE_NAME_ERR = 3, ///< no such domain
|
||||||
DNS_CODE_NOT_IMPL = 4, ///< not implemented
|
DNS_CODE_NOT_IMPL = 4, ///< not implemented
|
||||||
DNS_CODE_REFUSED = 5, ///< refused
|
DNS_CODE_REFUSED = 5, ///< refused
|
||||||
|
DNS_CODE_YXDOMAIN = 6, ///< name exists when it should not (RFC 2136)
|
||||||
|
DNS_CODE_YXRRSET = 7, ///< rr set exists when it should not (RFC 2136)
|
||||||
|
DNS_CODE_NXRRSET = 8, ///< rr set that should exist does not (RFC 2136)
|
||||||
|
DNS_CODE_NOTAUTH = 9, ///< server not authoritative for zone (RFC 2136), or not authorized (RFC 8945)
|
||||||
|
DNS_CODE_NOT_ZONE = 10, ///< name not contained in zone (RFC 2136)
|
||||||
DNS_CODE_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits
|
DNS_CODE_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -83,6 +92,7 @@ enum RR_Type : uint16_t {
|
||||||
|
|
||||||
enum DNS_Class : uint16_t {
|
enum DNS_Class : uint16_t {
|
||||||
DNS_CLASS_IN = 1,
|
DNS_CLASS_IN = 1,
|
||||||
|
DNS_CLASS_NONE = 254, ///< RFC2136
|
||||||
DNS_CLASS_ANY = 255,
|
DNS_CLASS_ANY = 255,
|
||||||
DNS_CLASS_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits
|
DNS_CLASS_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits
|
||||||
};
|
};
|
||||||
|
|
@ -92,6 +102,8 @@ enum DNS_AnswerType : uint8_t {
|
||||||
DNS_ANSWER,
|
DNS_ANSWER,
|
||||||
DNS_AUTHORITY,
|
DNS_AUTHORITY,
|
||||||
DNS_ADDITIONAL,
|
DNS_ADDITIONAL,
|
||||||
|
DNS_PREREQUISITES,
|
||||||
|
DNS_UPDATES,
|
||||||
};
|
};
|
||||||
|
|
||||||
// https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
|
// https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
|
||||||
|
|
@ -162,9 +174,9 @@ enum SVCPARAM_Key : uint8_t {
|
||||||
struct DNS_RawMsgHdr {
|
struct DNS_RawMsgHdr {
|
||||||
uint16_t id;
|
uint16_t id;
|
||||||
uint16_t flags;
|
uint16_t flags;
|
||||||
uint16_t qdcount;
|
uint16_t qd_zo_count;
|
||||||
uint16_t ancount;
|
uint16_t an_pr_count;
|
||||||
uint16_t nscount;
|
uint16_t ns_up_count;
|
||||||
uint16_t arcount;
|
uint16_t arcount;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -282,9 +294,9 @@ struct SVCB_DATA {
|
||||||
VectorValPtr svc_params;
|
VectorValPtr svc_params;
|
||||||
};
|
};
|
||||||
|
|
||||||
class DNS_MsgInfo {
|
class DNS_MsgInfo final {
|
||||||
public:
|
public:
|
||||||
DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query);
|
DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query, bool is_netbios);
|
||||||
|
|
||||||
RecordValPtr BuildHdrVal();
|
RecordValPtr BuildHdrVal();
|
||||||
RecordValPtr BuildAnswerVal();
|
RecordValPtr BuildAnswerVal();
|
||||||
|
|
@ -304,26 +316,28 @@ public:
|
||||||
RecordValPtr BuildSVCB_Val(const struct SVCB_DATA&);
|
RecordValPtr BuildSVCB_Val(const struct SVCB_DATA&);
|
||||||
|
|
||||||
uint16_t id;
|
uint16_t id;
|
||||||
uint8_t opcode; ///< query type, see DNS_Opcode
|
uint8_t opcode; ///< query type, see DNS_Opcode
|
||||||
uint16_t rcode; ///< return code, see DNS_Code
|
uint16_t rcode; ///< return code, see DNS_Code
|
||||||
bool QR; ///< query record flag
|
bool QR; ///< query record flag
|
||||||
bool AA; ///< authoritative answer flag
|
bool AA; ///< authoritative answer flag
|
||||||
bool TC; ///< truncated - size > 512 bytes for udp
|
bool TC; ///< truncated - size > 512 bytes for udp
|
||||||
bool RD; ///< recursion desired
|
bool RD; ///< recursion desired
|
||||||
bool RA; ///< recursion available
|
bool RA; ///< recursion available
|
||||||
uint8_t Z; ///< 3 bit field (includes AD and CD)
|
uint8_t Z; ///< 3 bit field (includes AD and CD)
|
||||||
bool AD; ///< authentic data
|
bool AD; ///< authentic data
|
||||||
bool CD; ///< checking disabled
|
bool CD; ///< checking disabled
|
||||||
uint16_t qdcount; ///< number of questions
|
uint16_t qd_zo_count; ///< number of questions (or zones for dynamic update)
|
||||||
uint16_t ancount; ///< number of answers
|
uint16_t an_pr_count; ///< number of answers (or prerequisites for dynamic update)
|
||||||
uint16_t nscount; ///< number of authority RRs
|
uint16_t ns_up_count; ///< number of authority RRs (or updates for dynamic update)
|
||||||
uint16_t arcount; ///< number of additional RRs
|
uint16_t arcount; ///< number of additional RRs
|
||||||
bool is_query = false; ///< whether it came from the session initiator
|
bool is_query = false; ///< whether it came from the session initiator
|
||||||
bool skip_event = false; ///< if true, don't generate corresponding events
|
bool skip_event = false; ///< if true, don't generate corresponding events
|
||||||
|
bool is_dynamic_update = false; ///< whether this message is a dynamic update
|
||||||
|
bool is_netbios = false; ///< whether this request is from netbios
|
||||||
|
|
||||||
StringValPtr query_name;
|
StringValPtr query_name;
|
||||||
RR_Type atype = TYPE_ALL;
|
RR_Type atype = TYPE_ALL;
|
||||||
int aclass = 0; ///< normally = 1, inet
|
uint16_t aclass = 0; ///< normally = 1, inet
|
||||||
uint32_t ttl = 0;
|
uint32_t ttl = 0;
|
||||||
|
|
||||||
DNS_AnswerType answer_type = DNS_QUESTION;
|
DNS_AnswerType answer_type = DNS_QUESTION;
|
||||||
|
|
@ -337,7 +351,7 @@ public:
|
||||||
|
|
||||||
void Timeout() {}
|
void Timeout() {}
|
||||||
|
|
||||||
protected:
|
private:
|
||||||
void EndMessage(detail::DNS_MsgInfo* msg);
|
void EndMessage(detail::DNS_MsgInfo* msg);
|
||||||
|
|
||||||
bool ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
|
bool ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
|
||||||
|
|
@ -345,6 +359,7 @@ protected:
|
||||||
int& len, const u_char* start);
|
int& len, const u_char* start);
|
||||||
|
|
||||||
bool ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
|
bool ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
|
||||||
|
bool ParseAnswerHeader(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start);
|
||||||
bool ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
|
bool ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
|
||||||
|
|
||||||
u_char* ExtractName(const u_char*& data, int& len, u_char* label, int label_len, const u_char* msg_start,
|
u_char* ExtractName(const u_char*& data, int& len, u_char* label, int label_len, const u_char* msg_start,
|
||||||
|
|
|
||||||
|
|
@ -836,3 +836,16 @@ event dns_HTTPS%(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_r
|
||||||
## dns_rejected dns_request dns_max_queries dns_session_timeout
|
## dns_rejected dns_request dns_max_queries dns_session_timeout
|
||||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||||
event dns_end%(c: connection, msg: dns_msg%);
|
event dns_end%(c: connection, msg: dns_msg%);
|
||||||
|
|
||||||
|
## Generated for DNS Dynamic Update messages. See `RFC for Dynamic Updates in the Domain Name System (DNS UPDATE) <https://datatracker.ietf.org/doc/html/rfc2136`__
|
||||||
|
## for more information about Dynamic Updates.
|
||||||
|
##
|
||||||
|
## c: The connection, which may be UDP or TCP depending on the type of the
|
||||||
|
## transport-layer session being analyzed.
|
||||||
|
##
|
||||||
|
## msg: The parsed DNS message header.
|
||||||
|
##
|
||||||
|
## zname: The name from the Zone section of the message.
|
||||||
|
##
|
||||||
|
## zclass: The class from the Zone section of the message.
|
||||||
|
event dns_dynamic_update%(c: connection, msg: dns_msg, zname: string, zclass: count%);
|
||||||
|
|
|
||||||
|
|
@ -5,9 +5,9 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 0.079300 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 0.079300 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 5.084025 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 5.084025 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 - txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 - txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 63844 0.054238 zeek.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 192.0.78.150,192.0.78.212 52.000000,52.000000 F
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 63844 0.054238 zeek.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 192.0.78.150,192.0.78.212 52.000000,52.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 12391 - zeek.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 12391 - zeek.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp 42540 - xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp 42540 - xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.131.24.6 2152 195.178.38.3 53 udp 27595 - abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.131.24.6 2152 195.178.38.3 53 udp 27595 - abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -100,6 +100,8 @@ connection {
|
||||||
* answers: vector of string, log=T, optional=T
|
* answers: vector of string, log=T, optional=T
|
||||||
* id: record conn_id, log=T, optional=F
|
* id: record conn_id, log=T, optional=F
|
||||||
conn_id { ... }
|
conn_id { ... }
|
||||||
|
* opcode: count, log=T, optional=T
|
||||||
|
* opcode_name: string, log=T, optional=T
|
||||||
* proto: enum transport_proto, log=T, optional=F
|
* proto: enum transport_proto, log=T, optional=F
|
||||||
* qclass: count, log=T, optional=T
|
* qclass: count, log=T, optional=T
|
||||||
* qclass_name: string, log=T, optional=T
|
* qclass_name: string, log=T, optional=T
|
||||||
|
|
|
||||||
|
|
@ -5,40 +5,40 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp 42996 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp 42996 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp 26428 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp 26428 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp 26096 0.000392 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F
|
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp 26096 0.000392 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp 31201 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp 31201 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp 39814 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp 39814 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp 56376 0.000375 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F
|
XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp 56376 0.000375 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp 51988 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp 51988 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp 1085 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp 1085 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp 10729 0.000421 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F
|
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp 10729 0.000421 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp 56663 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp 56663 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp 41417 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp 41417 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp 49233 0.000423 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F
|
XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp 49233 0.000423 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp 17147 0.000402 meta.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org 723.000000,593.000000 F
|
XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp 17147 0.000402 meta.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org 723.000000,593.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp 16954 0.000374 meta.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org,208.80.152.2 723.000000,593.000000,2141.000000 F
|
XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp 16954 0.000374 meta.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org,208.80.152.2 723.000000,593.000000,2141.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local 1 C_INTERNET 33 SRV - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local 1 C_INTERNET 33 SRV - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp 0 - gomez._sftp-ssh._tcp.local 1 C_INTERNET 16 TXT - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp 0 - gomez._sftp-ssh._tcp.local 1 C_INTERNET 16 TXT - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
|
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
|
||||||
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
|
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
|
||||||
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
|
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
|
||||||
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
|
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
|
||||||
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
|
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
|
||||||
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
|
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
|
||||||
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65398 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
|
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65398 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
|
||||||
XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp 9321 - WORKGROUP 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
|
XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp 9321 - WORKGROUP 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.74 51871 10.87.1.10 53 udp 27571 0.002004 example.net 1 C_INTERNET 65534 query-65534 0 NOERROR T F T T 2 BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal 0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000 F - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.74 51871 10.87.1.10 53 udp 27571 0.002004 example.net 1 C_INTERNET 65534 query-65534 0 NOERROR T F T T 2 BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal 0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000 F 0 query - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.10 53209 192.168.129.36 53 udp 41477 0.075138 paypal.com 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 1 DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com 455.000000,455.000000,455.000000,455.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.10 53209 192.168.129.36 53 udp 41477 0.075138 paypal.com 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 1 DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com 455.000000,455.000000,455.000000,455.000000 F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 22666 0.018166 upenn.edu 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 2 DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu 5.000000,5.000000,5.000000,3444.000000,3444.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 22666 0.018166 upenn.edu 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 2 DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu 5.000000,5.000000,5.000000,3444.000000,3444.000000 F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 39080 0.017821 upenn.edu 1 C_INTERNET 43 DS 0 NOERROR F F T T 2 DS 5 1,DS 5 2,RRSIG 43 edu 5.000000,5.000000,5.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 39080 0.017821 upenn.edu 1 C_INTERNET 43 DS 0 NOERROR F F T T 2 DS 5 1,DS 5 2,RRSIG 43 edu 5.000000,5.000000,5.000000 F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 0.000214 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 0.000214 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 - www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 - www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
[id=47952, opcode=5, rcode=0, QR=F, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=1, is_netbios=F], stratolab.org, 1, C_INTERNET
|
||||||
|
[id=47952, opcode=5, rcode=5, QR=T, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=1, is_netbios=F], stratolab.org, 1, C_INTERNET
|
||||||
|
[id=61191, opcode=5, rcode=0, QR=F, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=0, is_netbios=F], stratolab.org, 1, C_INTERNET
|
||||||
|
[id=61191, opcode=5, rcode=0, QR=T, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=0, is_netbios=F], stratolab.org, 1, C_INTERNET
|
||||||
|
|
@ -1,12 +0,0 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
|
||||||
#separator \x09
|
|
||||||
#set_separator ,
|
|
||||||
#empty_field (empty)
|
|
||||||
#unset_field -
|
|
||||||
#path weird
|
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
|
|
||||||
#types time string addr port addr port string string bool string string
|
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS
|
|
||||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.105 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS
|
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.20.1.31 53 207.158.192.40 53 udp 25701 - us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.20.1.31 53 207.158.192.40 53 udp 25701 - us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,2 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows
|
HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1, is_netbios=F], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 600.000000,600.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 600.000000,600.000000 F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.50 51946 68.142.255.16 53 udp 28079 - flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.50 51946 68.142.255.16 53 udp 28079 - flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,2 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
NAPTR, [id=20970, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=0], [answer_type=1, query=fp-de-carrier-vodafone.rcs.telephony.goog, qtype=35, qclass=1, TTL=2.0 mins 48.0 secs], [order=100, preference=100, flags=s, service=SIPS+D2T, regexp=, replacement=_sips._tcp.fp-de-carrier-vodafone.rcs.telephony.goog]
|
NAPTR, [id=20970, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=0, is_netbios=F], [answer_type=1, query=fp-de-carrier-vodafone.rcs.telephony.goog, qtype=35, qclass=1, TTL=2.0 mins 48.0 secs], [order=100, preference=100, flags=s, service=SIPS+D2T, regexp=, replacement=_sips._tcp.fp-de-carrier-vodafone.rcs.telephony.goog]
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F 0 query RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu -
|
||||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F - -
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F 0 query - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F 0 query ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F 0 query - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,10 +5,10 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F
|
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.91.0.62 57806 10.91.1.59 53 udp 64161 - mail.vladg.net - - - - 0 NOERROR F F F T 0 SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all 300.000000,300.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.91.0.62 57806 10.91.1.59 53 udp 64161 - mail.vladg.net - - - - 0 NOERROR F F F T 0 SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all 300.000000,300.000000 F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000 F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000 F 0 query
|
||||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 50138 192.168.1.108 53 tcp 52640 - 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5 1 C_INTERNET 249 TKEY 0 NOERROR F F F F 0 - - F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 50138 192.168.1.108 53 tcp 52640 - 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5 1 C_INTERNET 249 TKEY 0 NOERROR F F F F 0 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F 0 query - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.64 49204 146.186.163.66 53 udp 17323 - psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.64 49204 146.186.163.66 53 udp 17323 - psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dns
|
#path dns
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected original_query
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name original_query
|
||||||
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool string
|
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.3.138 63374 192.168.3.1 53 udp 20877 - us.v27.distributed.net 1 C_INTERNET 1 A - - F F T F 2 - - F Us.V27.DiStRiBuTeD.NET
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.3.138 63374 192.168.3.1 53 udp 20877 - us.v27.distributed.net 1 C_INTERNET 1 A - - F F T F 2 - - F 0 query Us.V27.DiStRiBuTeD.NET
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,12 @@
|
||||||
# @TEST-DOC: Tests that a DNS dynamic update packet doesn't error but reports an unknown opcode weird
|
# @TEST-DOC: Tests that a DNS dynamic update packet is processed.
|
||||||
# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dynamic-update.pcap %INPUT
|
# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dynamic-update.pcap %INPUT >out 2>&1
|
||||||
# @TEST-EXEC: btest-diff weird.log
|
# @TEST-EXEC: btest-diff out
|
||||||
|
# @TEST-EXEC: ! test -f weird.log
|
||||||
|
|
||||||
@load base/frameworks/notice/weird
|
@load base/frameworks/notice/weird
|
||||||
@load base/protocols/dns
|
@load base/protocols/dns
|
||||||
|
|
||||||
|
event dns_dynamic_update(c: connection, msg: dns_msg, zname: string, zclass: count)
|
||||||
|
{
|
||||||
|
print msg, zname, zclass, DNS::classes[zclass];
|
||||||
|
}
|
||||||
|
|
|
||||||
2
testing/external/commit-hash.zeek-testing
vendored
2
testing/external/commit-hash.zeek-testing
vendored
|
|
@ -1 +1 @@
|
||||||
31094f4840d0abc8fdf7f810e281851bd057931b
|
0f0a78fbe0bc690bede40da17d30c1fd2db273c6
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
2b90a083a2b35a2a3c1d71ff92318c7a11263cd6
|
80860e185460d347c969c04977fa7e99dff9eaab
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue