Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 20:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Remove some DNS weirds that caused volume and didn't help anyone.

Browse source 
These have been lingering for a while and they generally annoy
everyone because of the sheer volume.  They also don't really add
any useful information for debugging and they were generated differently
than most other weirds anyway (which was a little weird...).
This commit is contained in:
Seth Hall 2017-12-13 15:00:15 -05:00
parent 895e7b06b1
commit ac955519b2
2 changed files with 4 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/protocols/dns/main.bro
View file

@ -2,7 +2,6 @@
##! their responses. ##! their responses.
@load base/utils/queue @load base/utils/queue
@load base/frameworks/notice/weird
@load ./consts @load ./consts
module DNS; module DNS;
@ -177,9 +176,6 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
for ( i in infos ) for ( i in infos )
{ {
local wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=infos[i]$uid,
$id=infos[i]$id);
Weird::weird(wi);
Log::write(DNS::LOG, infos[i]); Log::write(DNS::LOG, infos[i]);
} }
} }
@ -187,21 +183,19 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
function log_unmatched_msgs(msgs: PendingMessages) function log_unmatched_msgs(msgs: PendingMessages)
{ {
for ( trans_id in msgs ) for ( trans_id in msgs )
{
log_unmatched_msgs_queue(msgs[trans_id]); log_unmatched_msgs_queue(msgs[trans_id]);
}
clear_table(msgs); clear_table(msgs);
} }
function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info) function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
{ {
local wi: Weird::Info;
if ( id !in msgs ) if ( id !in msgs )
{ {
if ( |msgs| > max_pending_query_ids ) if ( |msgs| > max_pending_query_ids )
{ {
wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=msg$uid,
$id=msg$id);
Weird::weird(wi);
# Throw away all unmatched on assumption they'll never be matched. # Throw away all unmatched on assumption they'll never be matched.
log_unmatched_msgs(msgs); log_unmatched_msgs(msgs);
} }
@ -212,9 +206,6 @@ function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
{ {
if ( Queue::len(msgs[id]) > max_pending_msgs ) if ( Queue::len(msgs[id]) > max_pending_msgs )
{ {
wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg_quantity", $uid=msg$uid,
$id=msg$id);
Weird::weird(wi);
log_unmatched_msgs_queue(msgs[id]); log_unmatched_msgs_queue(msgs[id]);
# Throw away all unmatched on assumption they'll never be matched. # Throw away all unmatched on assumption they'll never be matched.
msgs[id] = Queue::init(); msgs[id] = Queue::init();
@ -271,7 +262,6 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
# Create a new DNS session and put it in the reply queue so # Create a new DNS session and put it in the reply queue so
# we can wait for a matching query. # we can wait for a matching query.
c$dns = new_session(c, msg$id); c$dns = new_session(c, msg$id);
event conn_weird("dns_unmatched_reply", c, "");
enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns); enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns);
} }
} }

6
testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
View file

@ -3,10 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2016-07-13-16-16-12 #open 2017-12-13-19-40-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1363716396.798286 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 DNS_RR_unknown_type 46 F bro 1363716396.798286 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 DNS_RR_unknown_type 46 F bro
1363716396.798374 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 dns_unmatched_reply - F bro #close 2017-12-13-19-40-49
1363716396.798374 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 dns_unmatched_msg - F bro
#close 2016-07-13-16-16-12