diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index c951ff4fd2..8ae3806ab6 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -59,13 +59,15 @@ export { ## The caching intervals of the associated RRs described by the ## ``answers`` field. TTLs: vector of interval &log &optional; + ## The DNS query was rejected by the server. + rejected: bool &log &default=F; ## This value indicates if this request/response pair is ready to be ## logged. ready: bool &default=F; ## The total number of resource records in a reply message's answer ## section. - total_answers: count &optional; + total_answers: count &default=0; ## The total number of resource records in a reply message's answer, ## authority, and additional sections. total_replies: count &optional; @@ -186,10 +188,13 @@ function set_session(c: connection, msg: dns_msg, is_query: bool) } } +event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5 + { + set_session(c, msg, is_orig); + } + event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5 { - set_session(c, msg, F); - if ( ans$answer_type == DNS_ANS ) { c$dns$AA = msg$AA; @@ -209,7 +214,8 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) c$dns$TTLs[|c$dns$TTLs|] = ans$TTL; } - if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers ) + if ( c$dns?$answers && c$dns?$total_answers && + |c$dns$answers| == c$dns$total_answers ) { add c$dns_state$finished_answers[c$dns$trans_id]; # Indicate this request/reply pair is ready to be logged. @@ -230,8 +236,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5 { - set_session(c, msg, T); - c$dns$RD = msg$RD; c$dns$TC = msg$TC; c$dns$qclass = qclass; @@ -321,11 +325,9 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5 # # } - -event dns_rejected(c: connection, msg: dns_msg, - query: string, qtype: count, qclass: count) &priority=5 +event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5 { - set_session(c, msg, F); + c$dns$rejected = T; } event connection_state_remove(c: connection) &priority=-5 diff --git a/testing/btest/Baseline/core.ipv6-frag/dns.log b/testing/btest/Baseline/core.ipv6-frag/dns.log index d763fc4fee..de027644e8 100644 --- a/testing/btest/Baseline/core.ipv6-frag/dns.log +++ b/testing/btest/Baseline/core.ipv6-frag/dns.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path dns -#open 2012-03-07-01-37-58 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs -#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] -1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 -1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 -#close 2012-03-07-01-38-18 +#open 2012-10-05-17-47-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 F +1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 F +#close 2012-10-05-17-47-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log new file mode 100644 index 0000000000..14ad7b77bc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2012-10-05-15-59-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1349445121.080922 UWkUyAuUGXf 10.0.0.64 49204 146.186.163.66 53 udp 17323 psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F +#close 2012-10-05-15-59-39 diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log index f4b77edde7..74de757007 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log +++ b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path dns -#open 1999-06-28-23-40-27 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs auth addl -#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] table[string] table[string] -930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F T 0 4.3.2.1 31337.000000 - - -#close 1999-06-28-23-40-27 +#open 2012-10-05-17-47-40 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool table[string] table[string] +930613226.518174 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F T 0 4.3.2.1 31337.000000 F - - +#close 2012-10-05-17-47-40 diff --git a/testing/btest/Traces/dns-zero-RRs.trace b/testing/btest/Traces/dns-zero-RRs.trace new file mode 100644 index 0000000000..0f4785b3f0 Binary files /dev/null and b/testing/btest/Traces/dns-zero-RRs.trace differ diff --git a/testing/btest/scripts/base/protocols/dns/zero-responses.bro b/testing/btest/scripts/base/protocols/dns/zero-responses.bro new file mode 100644 index 0000000000..54f7d7b7d3 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/zero-responses.bro @@ -0,0 +1,4 @@ +# This tests the case where the DNS server responded with zero RRs. +# +# @TEST-EXEC: bro -r $TRACES/dns-zero-RRs.trace +# @TEST-EXEC: btest-diff dns.log \ No newline at end of file