Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix for DNS log problem when a DNS response is seen with 0 RRs.

Browse source
This commit is contained in:
Seth Hall 2012-10-05 13:48:49 -04:00
parent 14de9e675e
commit db62369508
6 changed files with 37 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

22
scripts/base/protocols/dns/main.bro
View file

@ -59,13 +59,15 @@ export {
## The caching intervals of the associated RRs described by the ## The caching intervals of the associated RRs described by the
## ``answers`` field. ## ``answers`` field.
TTLs: vector of interval &log &optional; TTLs: vector of interval &log &optional;
## The DNS query was rejected by the server.
rejected: bool &log &default=F;
## This value indicates if this request/response pair is ready to be ## This value indicates if this request/response pair is ready to be
## logged. ## logged.
ready: bool &default=F; ready: bool &default=F;
## The total number of resource records in a reply message's answer ## The total number of resource records in a reply message's answer
## section. ## section.
total_answers: count &optional; total_answers: count &default=0;
## The total number of resource records in a reply message's answer, ## The total number of resource records in a reply message's answer,
## authority, and additional sections. ## authority, and additional sections.
total_replies: count &optional; total_replies: count &optional;
@ -186,10 +188,13 @@ function set_session(c: connection, msg: dns_msg, is_query: bool)
} }
} }
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
{
set_session(c, msg, is_orig);
}
event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5 event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
{ {
set_session(c, msg, F);
if ( ans$answer_type == DNS_ANS ) if ( ans$answer_type == DNS_ANS )
{ {
c$dns$AA = msg$AA; c$dns$AA = msg$AA;
@ -209,7 +214,8 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
c$dns$TTLs[|c$dns$TTLs|] = ans$TTL; c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
} }
if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers ) if ( c$dns?$answers && c$dns?$total_answers &&
|c$dns$answers| == c$dns$total_answers )
{ {
add c$dns_state$finished_answers[c$dns$trans_id]; add c$dns_state$finished_answers[c$dns$trans_id];
# Indicate this request/reply pair is ready to be logged. # Indicate this request/reply pair is ready to be logged.
@ -230,8 +236,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5 event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
{ {
set_session(c, msg, T);
c$dns$RD = msg$RD; c$dns$RD = msg$RD;
c$dns$TC = msg$TC; c$dns$TC = msg$TC;
c$dns$qclass = qclass; c$dns$qclass = qclass;
@ -321,11 +325,9 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
# #
# } # }
event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
event dns_rejected(c: connection, msg: dns_msg,
query: string, qtype: count, qclass: count) &priority=5
{ {
set_session(c, msg, F); c$dns$rejected = T;
} }
event connection_state_remove(c: connection) &priority=-5 event connection_state_remove(c: connection) &priority=-5

12
testing/btest/Baseline/core.ipv6-frag/dns.log
View file

@ -3,9 +3,9 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path dns #path dns
#open 2012-03-07-01-37-58 #open 2012-10-05-17-47-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 F
1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 F
#close 2012-03-07-01-38-18 #close 2012-10-05-17-47-27

10
testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dns
#open 2012-10-05-15-59-39
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1349445121.080922 UWkUyAuUGXf 10.0.0.64 49204 146.186.163.66 53 udp 17323 psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
#close 2012-10-05-15-59-39

10
testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path dns #path dns
#open 1999-06-28-23-40-27 #open 2012-10-05-17-47-40
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs auth addl #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] table[string] table[string] #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool table[string] table[string]
930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F T 0 4.3.2.1 31337.000000 - - 930613226.518174 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F T 0 4.3.2.1 31337.000000 F - -
#close 1999-06-28-23-40-27 #close 2012-10-05-17-47-40

BIN
testing/btest/Traces/dns-zero-RRs.trace Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/protocols/dns/zero-responses.bro Normal file
View file

@ -0,0 +1,4 @@
# This tests the case where the DNS server responded with zero RRs.
#
# @TEST-EXEC: bro -r $TRACES/dns-zero-RRs.trace
# @TEST-EXEC: btest-diff dns.log