From bcdffe3212e717c6102f79b2306fb5e805598962 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 6 Mar 2014 09:06:23 -0500 Subject: [PATCH] No longer accidentally attempting to parse NBSTAT RRs as SRV RRs. The NetBios name service RFC (1002) specified NBSTAT (NetBios Status) resource records to have identifier 0x0021. The DNS SRV RFC specified SRV records to have identifier 33. Unfortunately those are the same number. :) We now check the resp port to handle this situation better so that we won't be attempting to parse NBSTAT records as SRV (which causes several weird messages). --- scripts/base/protocols/dns/main.bro | 8 ++++++++ src/analyzer/protocol/dns/DNS.cc | 13 ++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 8f83fbc677..348c361311 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -360,7 +360,15 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla # Note: I'm ignoring the name type for now. Not sure if this should be # worked into the query/response in some fashion. if ( c$id$resp_p == 137/udp ) + { query = decode_netbios_name(query); + if ( c$dns$qtype_name == "SRV" ) + { + # The SRV RFC used the ID used for NetBios Status RRs. + # So if this is NetBios Name Service we name it correctly. + c$dns$qtype_name = "NBSTAT"; + } + } c$dns$query = query; } diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 5d45f9b05c..c5cf47b858 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -276,7 +276,18 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, break; case TYPE_SRV: - status = ParseRR_SRV(msg, data, len, rdlength, msg_start); + if ( ntohs(analyzer->Conn()->RespPort()) == 137 ) + { + // This is an NBSTAT (NetBIOS NODE STATUS) record. + // The SRV RFC reused the value that was already being + // used for this. + // We aren't parsing this yet. + status = 1; + } + else + { + status = ParseRR_SRV(msg, data, len, rdlength, msg_start); + } break; case TYPE_EDNS: