Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Some updates to the base DNS script.

Browse source 
- Answers and TTLs are now vectors.

- The warning that was being generated (dns_reply_seen_after_done)
  from transaction ID reuse is fixed.

- Updated the single failing btest baseline.
This commit is contained in:
Seth Hall 2011-11-30 10:19:41 -05:00
parent 01693672bc
commit bb47289bfa
2 changed files with 35 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

56
scripts/base/protocols/dns/main.bro
View file

@ -6,26 +6,26 @@ export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
type Info: record { type Info: record {
ts: time &log; ts: time &log;
uid: string &log; uid: string &log;
id: conn_id &log; id: conn_id &log;
proto: transport_proto &log; proto: transport_proto &log;
trans_id: count &log &optional; trans_id: count &log &optional;
query: string &log &optional; query: string &log &optional;
qclass: count &log &optional; qclass: count &log &optional;
qclass_name: string &log &optional; qclass_name: string &log &optional;
qtype: count &log &optional; qtype: count &log &optional;
qtype_name: string &log &optional; qtype_name: string &log &optional;
rcode: count &log &optional; rcode: count &log &optional;
rcode_name: string &log &optional; rcode_name: string &log &optional;
QR: bool &log &default=F; QR: bool &log &default=F;
AA: bool &log &default=F; AA: bool &log &default=F;
TC: bool &log &default=F; TC: bool &log &default=F;
RD: bool &log &default=F; RD: bool &log &default=F;
RA: bool &log &default=F; RA: bool &log &default=F;
Z: count &log &default=0; Z: count &log &default=0;
TTL: interval &log &optional; answers: vector of string &log &optional;
answers: set[string] &log &optional; TTLs: vector of interval &log &optional;
## This value indicates if this request/response pair is ready to be logged. ## This value indicates if this request/response pair is ready to be logged.
ready: bool &default=F; ready: bool &default=F;
@ -102,7 +102,13 @@ function new_session(c: connection, trans_id: count): Info
function set_session(c: connection, msg: dns_msg, is_query: bool) function set_session(c: connection, msg: dns_msg, is_query: bool)
{ {
if ( ! c?$dns_state || msg$id !in c$dns_state$pending ) if ( ! c?$dns_state || msg$id !in c$dns_state$pending )
{
c$dns_state$pending[msg$id] = new_session(c, msg$id); c$dns_state$pending[msg$id] = new_session(c, msg$id);
# Try deleting this transaction id from the set of finished answers.
# Sometimes hosts will reuse ports and transaction ids and this should
# be considered to be a legit scenario (although bad practice).
delete c$dns_state$finished_answers[msg$id];
}
c$dns = c$dns_state$pending[msg$id]; c$dns = c$dns_state$pending[msg$id];
@ -136,7 +142,10 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
c$dns$AA = msg$AA; c$dns$AA = msg$AA;
c$dns$RA = msg$RA; c$dns$RA = msg$RA;
c$dns$TTL = ans$TTL;
if ( ! c$dns?$TTLs )
c$dns$TTLs = vector();
c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
if ( ans$answer_type == DNS_ANS ) if ( ans$answer_type == DNS_ANS )
{ {
@ -146,8 +155,8 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
if ( reply != "" ) if ( reply != "" )
{ {
if ( ! c$dns?$answers ) if ( ! c$dns?$answers )
c$dns$answers = set(); c$dns$answers = vector();
add c$dns$answers[reply]; c$dns$answers[|c$dns$answers|] = reply;
} }
if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers ) if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers )
@ -164,7 +173,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
if ( c$dns$ready ) if ( c$dns$ready )
{ {
Log::write(DNS::LOG, c$dns); Log::write(DNS::LOG, c$dns);
add c$dns_state$finished_answers[c$dns$trans_id];
# This record is logged and no longer pending. # This record is logged and no longer pending.
delete c$dns_state$pending[c$dns$trans_id]; delete c$dns_state$pending[c$dns$trans_id];
} }

6
testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
View file

@ -1,5 +1,5 @@
#separator \x09 #separator \x09
#path dns #path dns
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z TTL answers auth addl #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z answers TTLs auth addl
#types time string addr port addr port enum count string count string count string count string bool bool bool bool bool count interval table table table #types time string addr port addr port enum count string count string count string count string bool bool bool bool bool count vector vector table table
930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F F T 0 31337.000000 4.3.2.1 - - 930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F F T 0 4.3.2.1 31337.000000 - -