Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 04:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

No longer accidentally attempting to parse NBSTAT RRs as SRV RRs.

Browse source 
The NetBios name service RFC (1002) specified NBSTAT (NetBios Status)
resource records to have identifier 0x0021.  The DNS SRV RFC specified
SRV records to have identifier 33.  Unfortunately those are the
same number. :)

We now check the resp port to handle this situation better so that
we won't be attempting to parse NBSTAT records as SRV (which
causes several weird messages).
This commit is contained in:
Seth Hall 2014-03-06 09:06:23 -05:00
parent 9743959995
commit bcdffe3212
2 changed files with 20 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
scripts/base/protocols/dns/main.bro
View file

@ -360,7 +360,15 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla
# Note: I'm ignoring the name type for now. Not sure if this should be
# worked into the query/response in some fashion.
if ( c$id$resp_p == 137/udp )
{
query = decode_netbios_name(query);
if ( c$dns$qtype_name == "SRV" )
{
# The SRV RFC used the ID used for NetBios Status RRs.
# So if this is NetBios Name Service we name it correctly.
c$dns$qtype_name = "NBSTAT";
}
}
c$dns$query = query;
}