diff --git a/CHANGES b/CHANGES index f4f856f70b..f75d4c63b6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3.3.0-dev.516 | 2020-11-11 12:53:02 -0700 + + * Support for additional DNS RR Type: LOC[29], SSHFP[44], NSEC3PARAM[51], custom BIND9 signaling[65534] (Fatema BW) 3.3.0-dev.514 | 2020-11-10 14:05:51 -0700 diff --git a/NEWS b/NEWS index 4d6e9cbcee..46b2831179 100644 --- a/NEWS +++ b/NEWS @@ -72,6 +72,14 @@ New Functionality ``policy/misc/unknown-protocols`` script. The script adds a new ``unknown_protocol`` event. +- Added support for DNS resource records LOC, SSHFP, NSEC3PARAM, and custom + BIND9 signaling. The associated events are: + + - dns_LOC + - dns_SSHFP + - dns_NSEC3PARAM + - dns_BINDS + Changed Functionality --------------------- diff --git a/VERSION b/VERSION index 29b7cc4c9e..3cfb3d45a6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.3.0-dev.514 +3.3.0-dev.516 diff --git a/doc b/doc index d7f86df4df..e4cd91687f 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit d7f86df4dfee8272a56d8f1590d9e1c9b5d0a2d9 +Subproject commit e4cd91687f1fa59c8376aa2b4dead748ef72a378 diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index a27636e710..7257c2a16e 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3782,13 +3782,27 @@ type dns_nsec3_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. nsec_flags: count; ##< flags field. - nsec_hash_algo: count; ##< Hash algorithm. + nsec_hash_algo: count; ##< Hash algorithm. nsec_iter: count; ##< Iterations. - nsec_salt_len: count; ##< Salt length. + nsec_salt_len: count; ##< Salt length. nsec_salt: string; ##< Salt value nsec_hlen: count; ##< Hash length. nsec_hash: string; ##< Hash value. - bitmaps: string_vec; ##< Type Bit Maps. + bitmaps: string_vec; ##< Type Bit Maps. + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC NSEC3PARAM record. +## +## .. zeek:see:: dns_NSEC3PARAM +type dns_nsec3param_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + nsec_flags: count; ##< flags field. + nsec_hash_algo: count; ##< Hash algorithm. + nsec_iter: count; ##< Iterations. + nsec_salt_len: count; ##< Salt length. + nsec_salt: string; ##< Salt value is_query: count; ##< The RR is a query/Response. }; @@ -3805,6 +3819,35 @@ type dns_ds_rr: record { is_query: count; ##< The RR is a query/Response. }; +## A Private RR type BINDS record. +## +## .. zeek:see:: dns_BINDS +type dns_binds_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + algorithm: count; ##< Algorithm for Public Key. + key_id: count; ##< key tag. + removal_flag: count; ##< rm flag. + complte_flag: string; ##< complete flag. + is_query: count; ##< The RR is a query/Response. +}; + +## A Private RR type LOC record. +## +## .. zeek:see:: dns_LOC +type dns_loc_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + version: count; ##< version number of the representation. + size: count; ##< Diameter of a sphere enclosing the entity. + horiz_pre: count; ##< The horizontal precision of the data, in centimeters. + vert_pre: count; ##< The vertical precision of the data, in centimeters. + latitude: count; ##< The latitude of the center of the sphere. + longitude: count; ##< The longitude of the center of the sphere. + altitude: count; ##< The altitude of the center of the sphere. + is_query: count; ##< The RR is a query/Response. +}; + # DNS answer types. # # .. zeek:see:: dns_answerr diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek index f73a7e6bf0..ff9f47b464 100644 --- a/scripts/base/protocols/dns/main.zeek +++ b/scripts/base/protocols/dns/main.zeek @@ -577,6 +577,11 @@ event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_r hook DNS::do_reply(c, msg, ans, "NSEC3"); } +event dns_NSEC3PARAM(c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr) &priority=5 + { + hook DNS::do_reply(c, msg, ans, "NSEC3PARAM"); + } + event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) &priority=5 { local s: string; @@ -584,6 +589,25 @@ event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) &prior hook DNS::do_reply(c, msg, ans, s); } +event dns_BINDS(c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr) &priority=5 + { + hook DNS::do_reply(c, msg, ans, "BIND9 signing signal"); + } + +event dns_SSHFP(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string) &priority=5 + { + local s: string; + s = fmt("SSHFP: %s", bytestring_to_hexstr(fingerprint)); + hook DNS::do_reply(c, msg, ans, s); + } + +event dns_LOC(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr) &priority=5 + { + local s: string; + s = fmt("LOC: %d %d %d", loc$size, loc$horiz_pre, loc$vert_pre); + hook DNS::do_reply(c, msg, ans, s); + } + event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5 { if ( c?$dns ) diff --git a/src/NetVar.cc b/src/NetVar.cc index 4b03939474..02c83eb267 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -66,7 +66,10 @@ zeek::RecordType* dns_tsig_additional; zeek::RecordType* dns_rrsig_rr; zeek::RecordType* dns_dnskey_rr; zeek::RecordType* dns_nsec3_rr; +zeek::RecordType* dns_nsec3param_rr; zeek::RecordType* dns_ds_rr; +zeek::RecordType* dns_binds_rr; +zeek::RecordType* dns_loc_rr; zeek::TableVal* dns_skip_auth; zeek::TableVal* dns_skip_addl; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 18f3f24b8c..a11c0300ad 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -339,9 +339,25 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, status = ParseRR_NSEC3(msg, data, len, rdlength, msg_start); break; + case detail::TYPE_NSEC3PARAM: + status = ParseRR_NSEC3PARAM(msg, data, len, rdlength, msg_start); + break; + case detail::TYPE_DS: status = ParseRR_DS(msg, data, len, rdlength, msg_start); break; + + case detail::TYPE_BINDS: + status = ParseRR_BINDS(msg, data, len, rdlength, msg_start); + break; + + case detail::TYPE_SSHFP: + status = ParseRR_SSHFP(msg, data, len, rdlength, msg_start); + break; + + case detail::TYPE_LOC: + status = ParseRR_LOC(msg, data, len, rdlength, msg_start); + break; default: @@ -1275,6 +1291,56 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg, return true; } +bool DNS_Interpreter::ParseRR_NSEC3PARAM(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_NSEC3PARAM || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return true; + } + + if ( len < 5 ) + return false; + + uint32_t halgo_flags = ExtractShort(data, len); + unsigned int hash_algo = (halgo_flags >> 8) & 0xff; + unsigned int nsec_flags = halgo_flags & 0xff; + unsigned int iter = ExtractShort(data, len); + + uint8_t salt_len = 0; + + if ( len > 0 ) + { + salt_len = data[0]; + ++data; + --len; + } + + auto salt_value = ExtractStream(data, len, static_cast(salt_len)); + + if ( dns_NSEC3PARAM ) + { + detail::NSEC3PARAM_DATA nsec3param; + nsec3param.nsec_flags = nsec_flags; + nsec3param.nsec_hash_algo = hash_algo; + nsec3param.nsec_iter = iter; + nsec3param.nsec_salt_len = salt_len; + nsec3param.nsec_salt = salt_value; + + analyzer->EnqueueConnEvent(dns_NSEC3PARAM, + analyzer->ConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildNSEC3PARAM_Val(&nsec3param) + ); + } + + return true; + } + bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start) @@ -1333,6 +1399,140 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg, return true; } +bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_BINDS || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return true; + } + + if ( len < 5 ) + return false; + + uint32_t algo_keyid_rflag = ExtractLong(data, len); + + unsigned int algo = (algo_keyid_rflag >> 24) & 0xff; + unsigned int keyid1 = (algo_keyid_rflag >> 16) & 0xff; + unsigned int keyid2 = (algo_keyid_rflag >> 8) & 0xff; + unsigned int rmflag = algo_keyid_rflag & 0xff; + + unsigned int keyid = (keyid1 << 8) | keyid2; + + String* completeflag = ExtractStream(data, len, rdlength - 4); + + if ( dns_BINDS ) + { + detail::BINDS_DATA binds; + binds.algorithm = algo; + binds.key_id = keyid; + binds.removal_flag = rmflag; + binds.complete_flag = completeflag; + + analyzer->EnqueueConnEvent(dns_BINDS, + analyzer->ConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildBINDS_Val(&binds) + ); + } + + return true; + } + +bool DNS_Interpreter::ParseRR_SSHFP(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_SSHFP || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return true; + } + + if ( len < 2 ) + return false; + + uint32_t algo_fptype = ExtractShort(data, len); + unsigned int algo = (algo_fptype >> 8) & 0xff; + unsigned int fptype = algo_fptype & 0xff; + + String* fingerprint = ExtractStream(data, len, rdlength - 2); + + if ( dns_SSHFP ) + { + analyzer->EnqueueConnEvent(dns_SSHFP, + analyzer->ConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + val_mgr->Count(algo), + val_mgr->Count(fptype), + make_intrusive(fingerprint) + ); + } + + return true; + } + +bool DNS_Interpreter::ParseRR_LOC(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + if ( ! dns_LOC || msg->skip_event ) + { + data += rdlength; + len -= rdlength; + return true; + } + + if ( len < 15 ) + return false; + + // split the two bytes for version and size extraction + uint32_t ver_size = ExtractShort(data, len); + unsigned int version = (ver_size >> 8) & 0xff; + unsigned int size = ver_size & 0xff; + + // split the two bytes for horizontal and vertical precision extraction + uint32_t horiz_vert = ExtractShort(data, len); + unsigned int horiz_pre = (horiz_vert >> 8) & 0xff; + unsigned int vert_pre= horiz_vert & 0xff; + + uint32_t latitude = ExtractLong(data, len); + uint32_t longitude = ExtractLong(data, len); + uint32_t altitude = ExtractLong(data, len); + + if ( version != 0 ) + { + analyzer->Weird("DNS_LOC_version_unrecognized", util::fmt("%d", version)); + } + + if ( dns_LOC ) + { + detail::LOC_DATA loc; + loc.version = version; + loc.size = size; + loc.horiz_pre = horiz_pre; + loc.vert_pre = vert_pre; + loc.latitude = latitude; + loc.longitude = longitude; + loc.altitude = altitude; + + analyzer->EnqueueConnEvent(dns_LOC, + analyzer->ConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildLOC_Val(&loc) + ); + } + + return true; + } + bool DNS_Interpreter::ParseRR_A(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength) { @@ -1780,6 +1980,23 @@ RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3) return r; } +RecordValPtr DNS_MsgInfo::BuildNSEC3PARAM_Val(NSEC3PARAM_DATA* nsec3param) + { + static auto dns_nsec3param_rr = id::find_type("dns_nsec3param_rr"); + auto r = make_intrusive(dns_nsec3param_rr); + + r->Assign(0, query_name); + r->Assign(1, val_mgr->Count(int(answer_type))); + r->Assign(2, val_mgr->Count(nsec3param->nsec_flags)); + r->Assign(3, val_mgr->Count(nsec3param->nsec_hash_algo)); + r->Assign(4, val_mgr->Count(nsec3param->nsec_iter)); + r->Assign(5, val_mgr->Count(nsec3param->nsec_salt_len)); + r->Assign(6, make_intrusive(nsec3param->nsec_salt)); + r->Assign(7, val_mgr->Count(is_query)); + + return r; + } + RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) { static auto dns_ds_rr = id::find_type("dns_ds_rr"); @@ -1796,6 +2013,41 @@ RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) return r; } +RecordValPtr DNS_MsgInfo::BuildBINDS_Val(BINDS_DATA* binds) + { + static auto dns_binds_rr = id::find_type("dns_binds_rr"); + auto r = make_intrusive(dns_binds_rr); + + r->Assign(0, query_name); + r->Assign(1, val_mgr->Count(int(answer_type))); + r->Assign(2, val_mgr->Count(binds->algorithm)); + r->Assign(3, val_mgr->Count(binds->key_id)); + r->Assign(4, val_mgr->Count(binds->removal_flag)); + r->Assign(5, make_intrusive(binds->complete_flag)); + r->Assign(6, val_mgr->Count(is_query)); + + return r; + } + +RecordValPtr DNS_MsgInfo::BuildLOC_Val(LOC_DATA* loc) + { + static auto dns_loc_rr = id::find_type("dns_loc_rr"); + auto r = make_intrusive(dns_loc_rr); + + r->Assign(0, query_name); + r->Assign(1, val_mgr->Count(int(answer_type))); + r->Assign(2, val_mgr->Count(loc->version)); + r->Assign(3, val_mgr->Count(loc->size)); + r->Assign(4, val_mgr->Count(loc->horiz_pre)); + r->Assign(5, val_mgr->Count(loc->vert_pre)); + r->Assign(6, val_mgr->Count(loc->latitude)); + r->Assign(7, val_mgr->Count(loc->longitude)); + r->Assign(8, val_mgr->Count(loc->altitude)); + r->Assign(9, val_mgr->Count(is_query)); + + return r; + } + } // namespace detail Contents_DNS::Contents_DNS(Connection* conn, bool orig, diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index bbb8350602..1eae864643 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -45,7 +45,8 @@ enum RR_Type { TYPE_SIG = 24, ///< digital signature (RFC 2535) TYPE_KEY = 25, ///< public key (RFC 2535) TYPE_PX = 26, ///< pointer to X.400/RFC822 mapping info (RFC 1664) - TYPE_AAAA = 28, ///< IPv6 address (RFC 1886 + TYPE_AAAA = 28, ///< IPv6 address (RFC 1886) + TYPE_LOC = 29, ///< Location information about hosts (RFC 1876) TYPE_NBS = 32, ///< Netbios name (RFC 1002) TYPE_SRV = 33, ///< service location (RFC 2052) TYPE_NAPTR = 35, ///< naming authority pointer (RFC 2168) @@ -54,6 +55,7 @@ enum RR_Type { TYPE_A6 = 38, ///< IPv6 address with indirection (RFC 2874) TYPE_DNAME = 39, ///< Non-terminal DNS name redirection (RFC 2672) TYPE_EDNS = 41, ///< OPT pseudo-RR (RFC 2671) + TYPE_SSHFP = 44, ///< SSH Public Key Fingerprint (RFC 4255) TYPE_TKEY = 249, ///< Transaction Key (RFC 2930) TYPE_TSIG = 250, ///< Transaction Signature (RFC 2845) TYPE_CAA = 257, ///< Certification Authority Authorization (RFC 6844) @@ -63,6 +65,7 @@ enum RR_Type { TYPE_DNSKEY = 48, ///< DNS Key record (RFC 4034) TYPE_DS = 43, ///< Delegation signer (RFC 4034) TYPE_NSEC3 = 50, + TYPE_NSEC3PARAM = 51, ///< Contains the NSEC3 parameters (RFC 5155) // Obsoleted TYPE_SPF = 99, ///< Alternative: storing SPF data in TXT records, using the same format (RFC 4408). Support for it was discontinued in RFC 7208 // The following are only valid in queries. @@ -70,6 +73,8 @@ enum RR_Type { TYPE_ALL = 255, TYPE_WINS = 65281, ///< Microsoft's WINS RR TYPE_WINSR = 65282, ///< Microsoft's WINS-R RR + // Private use RR TYPE range: 65280 - 65534 + TYPE_BINDS = 65534, ///< Bind9's Private Type Rec for signaling state of signing process }; #define DNS_CLASS_IN 1 @@ -179,10 +184,10 @@ struct TSIG_DATA { }; struct RRSIG_DATA { - unsigned short type_covered; // 16 : ExtractShort(data, len) + unsigned short type_covered; // 16 : ExtractShort(data, len) unsigned short algorithm; // 8 unsigned short labels; // 8 - uint32_t orig_ttl; // 32 + uint32_t orig_ttl; // 32 unsigned long sig_exp; // 32 unsigned long sig_incep; // 32 unsigned short key_tag; //16 @@ -208,6 +213,14 @@ struct NSEC3_DATA { VectorValPtr bitmaps; }; +struct NSEC3PARAM_DATA { + unsigned short nsec_flags; // 8 + unsigned short nsec_hash_algo; // 8 + unsigned short nsec_iter; // 16 : ExtractShort(data, len) + unsigned short nsec_salt_len; // 8 + String* nsec_salt; // Variable length salt +}; + struct DS_DATA { unsigned short key_tag; // 16 : ExtractShort(data, len) unsigned short algorithm; // 8 @@ -215,6 +228,23 @@ struct DS_DATA { String* digest_val; // Variable lenght Digest of DNSKEY RR }; +struct BINDS_DATA { + unsigned short algorithm; // 8 + unsigned short key_id; // 16 : ExtractShort(data, len) + unsigned short removal_flag; // 8 + String* complete_flag; // 8 +}; + +struct LOC_DATA { + unsigned short version; // 8 + unsigned short size; // 8 + unsigned short horiz_pre; // 8 + unsigned short vert_pre; // 8 + unsigned long latitude; // 32 + unsigned long longitude; // 32 + unsigned long altitude; // 32 +}; + class DNS_MsgInfo { public: DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query); @@ -229,7 +259,10 @@ public: RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*); RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*); RecordValPtr BuildNSEC3_Val(struct NSEC3_DATA*); + RecordValPtr BuildNSEC3PARAM_Val(struct NSEC3PARAM_DATA*); RecordValPtr BuildDS_Val(struct DS_DATA*); + RecordValPtr BuildBINDS_Val(struct BINDS_DATA*); + RecordValPtr BuildLOC_Val(struct LOC_DATA*); int id; int opcode; ///< query type, see DNS_Opcode @@ -349,9 +382,21 @@ protected: bool ParseRR_NSEC3(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start); + bool ParseRR_NSEC3PARAM(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); bool ParseRR_DS(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start); + bool ParseRR_BINDS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_SSHFP(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_LOC(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event, const u_char*& data, int& len, String* question_name, diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index a32a6966ba..1c5dbcd11e 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -655,6 +655,19 @@ event dns_NSEC%(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, ## nsec3: The parsed RDATA of Nsec3 record. event dns_NSEC3%(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr%); +## Generated for DNS replies of type *NSEC3PARAM*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## nsec3param: The parsed RDATA of NSEC3PARAM record. +event dns_NSEC3PARAM%(c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr%); + ## Generated for DNS replies of type *DS*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. ## @@ -668,6 +681,45 @@ event dns_NSEC3%(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_ ## ds: The parsed RDATA of DS record. event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%); +## Generated for DNS replies of type *BINDS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## binds: The parsed RDATA of BIND-Signeing state record. +event dns_BINDS%(c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr%); + +## Generated for DNS replies of type *BINDS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## binds: The parsed RDATA of BIND-Signeing state record. +event dns_SSHFP%(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string%); + +## Generated for DNS replies of type *LOC*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## loc: The parsed RDATA of LOC type record. +event dns_LOC%(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr%); + ## Generated at the end of processing a DNS packet. This event is the last ## ``dns_*`` event that will be raised for a DNS query/reply and signals that ## all resource records have been passed on. diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log new file mode 100644 index 0000000000..8ac9cb7341 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 60XXXXXXXXXX.XXXXXX,60XXXXXXXXXX.XXXXXX F +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.loc/output b/testing/btest/Baseline/scripts.base.protocols.dns.loc/output new file mode 100644 index 0000000000..7bac41e044 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.loc/output @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +LOC, [query=sunn-pt1.es.net, answer_type=1, version=0, size=18, horiz_pre=21, vert_pre=19, latitude=2282029648, longitude=1708315648, altitude=10000000, is_query=0] diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log new file mode 100644 index 0000000000..d31d235484 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX F +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/output b/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/output new file mode 100644 index 0000000000..7df03c0058 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/output @@ -0,0 +1,9 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +SSHFP, 2, 1, a6b95f9eba1104a7272a362e8bfbcbebd5726dcf +SSHFP, 2, 2, 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46 +SSHFP, 3, 1, 5b72c59cceaea2c210f14156e20e6aff829b3e3b +SSHFP, 1, 1, c052721a978470b36fe5b9222f234400f369172b +SSHFP, 4, 1, 0b24d970aa05b708804d35eea3a8c1a6c355e545 +SSHFP, 4, 2, 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b +SSHFP, 1, 2, 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82 +SSHFP, 3, 2, c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29 diff --git a/testing/btest/Traces/dns/loc-29-trunc.pcap b/testing/btest/Traces/dns/loc-29-trunc.pcap new file mode 100644 index 0000000000..484b9e42dc Binary files /dev/null and b/testing/btest/Traces/dns/loc-29-trunc.pcap differ diff --git a/testing/btest/Traces/dns/sshfp-trunc.pcap b/testing/btest/Traces/dns/sshfp-trunc.pcap new file mode 100644 index 0000000000..901654c0e4 Binary files /dev/null and b/testing/btest/Traces/dns/sshfp-trunc.pcap differ diff --git a/testing/btest/scripts/base/protocols/dns/loc.zeek b/testing/btest/scripts/base/protocols/dns/loc.zeek new file mode 100644 index 0000000000..dc863d16c4 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/loc.zeek @@ -0,0 +1,9 @@ +# @TEST-EXEC: zeek -b -C -r $TRACES/dns/loc-29-trunc.pcap %INPUT > output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output +@load base/protocols/dns + +event dns_LOC(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr) + { + print "LOC", loc; + } diff --git a/testing/btest/scripts/base/protocols/dns/sshfp.zeek b/testing/btest/scripts/base/protocols/dns/sshfp.zeek new file mode 100644 index 0000000000..c9d5be9f2a --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/sshfp.zeek @@ -0,0 +1,9 @@ +# @TEST-EXEC: zeek -b -C -r $TRACES/dns/sshfp-trunc.pcap %INPUT > output +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff output +@load base/protocols/dns + +event dns_SSHFP(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string) + { + print "SSHFP", algo, fptype, bytestring_to_hexstr(fingerprint); + }