Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add DNS tests for huge TLL and CAA

Browse source
This commit is contained in:
Johanna Amann 2016-04-25 15:37:15 -07:00
parent cfa4fb4946
commit a705b2c08d
9 changed files with 38 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
CHANGES
View file

@ -1,4 +1,12 @@
2.4-471 | 2016-04-25 15:37:15 -0700
* Add DNS tests for huge TLLs and CAA. (Johanna Amann)
* Add DNS "CAA" RR type and event. (Mark Taylor)
* Fix DNS response parsing: TTLs are unsigned. (Mark Taylor)
2.4-466 | 2016-04-22 16:25:33 -0700
* Rename BrokerStore and BrokerComm to Broker. Also split broker main.bro

9
NEWS
View file

@ -36,6 +36,9 @@ New Functionality
- Bro now tracks VLAN IDs. To record them inside the connection log,
load protocols/conn/vlan-logging.bro.
- A new dns_CAA_reply event gives access to DNS Certification Authority
Authorization replies.
- A new per-packet event raw_packet() provides access to layer 2
information. Use with care, generating events per packet is
expensive.
@ -45,8 +48,8 @@ New Functionality
argument that will be used for decoding errors into weird.log
(instead of reporter.log).
- A new get_current_packet_header bif returning the headers of the current
packet
- A new get_current_packet_header bif returns the headers of the current
packet.
- Two new built-in functions for handling set[subnet] and table[subnet]:
@ -87,7 +90,7 @@ New Functionality
Changed Functionality
---------------------
- The BrokerComm and BrokerStore namespaces were renamed to Broker
- The BrokerComm and BrokerStore namespaces were renamed to Broker.
- ``SSH::skip_processing_after_detection`` was removed. The functionality was
replaced by ``SSH::disable_analyzer_after_detection``.

2
VERSION
View file

@ -1 +1 @@
2.4-466
2.4-471

1
testing/btest/Baseline/scripts.base.protocols.dns.caa/.stdout Normal file
View file

@ -0,0 +1 @@
0, issue, symantec.com

8
testing/btest/Baseline/scripts.base.protocols.dns.huge-ttl/.stdout Normal file
View file

@ -0,0 +1,8 @@
[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=49710.0 days 6.0 hrs 28.0 mins 15.0 secs]
[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]

BIN
testing/btest/Traces/dns-caa.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/dns-huge-ttl.pcap Normal file
View file

Binary file not shown.

7
testing/btest/scripts/base/protocols/dns/caa.bro Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: bro -r $TRACES/dns-caa.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
event dns_CAA_reply(c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)
{
print flags,tag,value;
}

7
testing/btest/scripts/base/protocols/dns/huge-ttl.bro Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: bro -r $TRACES/dns-huge-ttl.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
{
print ans;
}