From db62369508033a68e8e636ac19a3466775169a88 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 5 Oct 2012 13:48:49 -0400 Subject: [PATCH] Fix for DNS log problem when a DNS response is seen with 0 RRs. --- scripts/base/protocols/dns/main.bro | 22 ++++++++++-------- testing/btest/Baseline/core.ipv6-frag/dns.log | 12 +++++----- .../dns.log | 10 ++++++++ .../dns.log | 10 ++++---- testing/btest/Traces/dns-zero-RRs.trace | Bin 0 -> 242 bytes .../base/protocols/dns/zero-responses.bro | 4 ++++ 6 files changed, 37 insertions(+), 21 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log create mode 100644 testing/btest/Traces/dns-zero-RRs.trace create mode 100644 testing/btest/scripts/base/protocols/dns/zero-responses.bro diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index c951ff4fd2..8ae3806ab6 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -59,13 +59,15 @@ export { ## The caching intervals of the associated RRs described by the ## ``answers`` field. TTLs: vector of interval &log &optional; + ## The DNS query was rejected by the server. + rejected: bool &log &default=F; ## This value indicates if this request/response pair is ready to be ## logged. ready: bool &default=F; ## The total number of resource records in a reply message's answer ## section. - total_answers: count &optional; + total_answers: count &default=0; ## The total number of resource records in a reply message's answer, ## authority, and additional sections. total_replies: count &optional; @@ -186,10 +188,13 @@ function set_session(c: connection, msg: dns_msg, is_query: bool) } } +event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5 + { + set_session(c, msg, is_orig); + } + event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5 { - set_session(c, msg, F); - if ( ans$answer_type == DNS_ANS ) { c$dns$AA = msg$AA; @@ -209,7 +214,8 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) c$dns$TTLs[|c$dns$TTLs|] = ans$TTL; } - if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers ) + if ( c$dns?$answers && c$dns?$total_answers && + |c$dns$answers| == c$dns$total_answers ) { add c$dns_state$finished_answers[c$dns$trans_id]; # Indicate this request/reply pair is ready to be logged. @@ -230,8 +236,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5 { - set_session(c, msg, T); - c$dns$RD = msg$RD; c$dns$TC = msg$TC; c$dns$qclass = qclass; @@ -321,11 +325,9 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5 # # } - -event dns_rejected(c: connection, msg: dns_msg, - query: string, qtype: count, qclass: count) &priority=5 +event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5 { - set_session(c, msg, F); + c$dns$rejected = T; } event connection_state_remove(c: connection) &priority=-5 diff --git a/testing/btest/Baseline/core.ipv6-frag/dns.log b/testing/btest/Baseline/core.ipv6-frag/dns.log index d763fc4fee..de027644e8 100644 --- a/testing/btest/Baseline/core.ipv6-frag/dns.log +++ b/testing/btest/Baseline/core.ipv6-frag/dns.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path dns -#open 2012-03-07-01-37-58 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs -#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] -1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 -1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 -#close 2012-03-07-01-38-18 +#open 2012-10-05-17-47-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 F +1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 F +#close 2012-10-05-17-47-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log new file mode 100644 index 0000000000..14ad7b77bc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2012-10-05-15-59-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1349445121.080922 UWkUyAuUGXf 10.0.0.64 49204 146.186.163.66 53 udp 17323 psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F +#close 2012-10-05-15-59-39 diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log index f4b77edde7..74de757007 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log +++ b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path dns -#open 1999-06-28-23-40-27 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs auth addl -#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] table[string] table[string] -930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F T 0 4.3.2.1 31337.000000 - - -#close 1999-06-28-23-40-27 +#open 2012-10-05-17-47-40 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool table[string] table[string] +930613226.518174 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F T 0 4.3.2.1 31337.000000 F - - +#close 2012-10-05-17-47-40 diff --git a/testing/btest/Traces/dns-zero-RRs.trace b/testing/btest/Traces/dns-zero-RRs.trace new file mode 100644 index 0000000000000000000000000000000000000000..0f4785b3f0ba8be9e547bc7f289a11eb651e20b5 GIT binary patch literal 242 zcmca|c+)~A1{MYw`2U}Qff2}Ie3lm=Wy8qe3}l1w4TB_)qgx$v`mJV#b1=9vFqpbs zWngd+{Je|{NKM+c*y(@?gDHdJzM0Oef%-v400DDBaVc|ZN+|<_3#xj@!4Gmqo!+CWp)KzFk9^heM1KG9W0D}fgeo3;? l0UoZ5{Nj?_#Nv|Fq60kT@64`&Wf^1?7^K%XFfax-003r}J}dwL literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/dns/zero-responses.bro b/testing/btest/scripts/base/protocols/dns/zero-responses.bro new file mode 100644 index 0000000000..54f7d7b7d3 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/zero-responses.bro @@ -0,0 +1,4 @@ +# This tests the case where the DNS server responded with zero RRs. +# +# @TEST-EXEC: bro -r $TRACES/dns-zero-RRs.trace +# @TEST-EXEC: btest-diff dns.log \ No newline at end of file