No longer accidentally attempting to parse NBSTAT RRs as SRV RRs.

The NetBios name service RFC (1002) specified NBSTAT (NetBios Status)
resource records to have identifier 0x0021.  The DNS SRV RFC specified
SRV records to have identifier 33.  Unfortunately those are the
same number. :)

We now check the resp port to handle this situation better so that
we won't be attempting to parse NBSTAT records as SRV (which
causes several weird messages).

scripts/base/protocols/dns/main.bro

@@ -360,7 +360,15 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla
 	# Note: I'm ignoring the name type for now.  Not sure if this should be
 	#       worked into the query/response in some fashion.
 	if ( c$id$resp_p == 137/udp )
+		{
 		query = decode_netbios_name(query);
+		if ( c$dns$qtype_name == "SRV" )
+			{
+			# The SRV RFC used the ID used for NetBios Status RRs.
+			# So if this is NetBios Name Service we name it correctly.
+			c$dns$qtype_name = "NBSTAT";
+			}
+		}
 	c$dns$query = query;
 	}
 

src/analyzer/protocol/dns/DNS.cc

@@ -276,7 +276,18 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 			break;
 
 		case TYPE_SRV:
+			if ( ntohs(analyzer->Conn()->RespPort()) == 137 )
+				{
+				// This is an NBSTAT (NetBIOS NODE STATUS) record.
+				// The SRV RFC reused the value that was already being
+				// used for this.
+				// We aren't parsing this yet.
+				status = 1;
+				}
+			else
+				{
 				status = ParseRR_SRV(msg, data, len, rdlength, msg_start);
+				}
 			break;
 
 		case TYPE_EDNS: