Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/protocols/dns/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dns/__load__.zeek
================================
:Imports: :doc:`base/protocols/dns/check-event-handlers.zeek </scripts/base/protocols/dns/check-event-handlers.zeek>`, :doc:`base/protocols/dns/consts.zeek </scripts/base/protocols/dns/consts.zeek>`, :doc:`base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

17
doc/scripts/base/protocols/dns/check-event-handlers.zeek.rst Normal file
View file

@ -0,0 +1,17 @@
:tocdepth: 3
base/protocols/dns/check-event-handlers.zeek
============================================
.. zeek:namespace:: DNS
This script checks if DNS event handlers that will not be raised
are used and raises a warning in those cases.
:Namespace: DNS
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

325
doc/scripts/base/protocols/dns/consts.zeek.rst Normal file
View file

@ -0,0 +1,325 @@
:tocdepth: 3
base/protocols/dns/consts.zeek
==============================
.. zeek:namespace:: DNS
Types, errors, and fields for analyzing DNS data. A helper file
for DNS analysis scripts.
:Namespace: DNS
Summary
~~~~~~~
Constants
#########
=============================================================================================== ======================================================================
:zeek:id:`DNS::ANY`: :zeek:type:`count` A QTYPE value describing a request for all records.
:zeek:id:`DNS::EDNS`: :zeek:type:`count` An OPT RR TYPE value described by EDNS.
:zeek:id:`DNS::PTR`: :zeek:type:`count` RR TYPE value for a domain name pointer.
:zeek:id:`DNS::algorithms`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible values of the algorithms used in DNSKEY, DS and RRSIG records
:zeek:id:`DNS::base_errors`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Errors used for non-TSIG/EDNS types.
:zeek:id:`DNS::classes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible values of the CLASS field in resource records or QCLASS
field in query messages.
:zeek:id:`DNS::digests`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible digest types used in DNSSEC.
:zeek:id:`DNS::edns_zfield`: :zeek:type:`table` :zeek:attr:`&default` = ``"?"`` This deciphers EDNS Z field values.
:zeek:id:`DNS::query_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Mapping of DNS query type codes to human readable string
representation.
:zeek:id:`DNS::svcparam_keys`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` SVCB/HTTPS SvcParam keys as defined in
https://datatracker.ietf.org/doc/html/rfc9460#name-initial-contents
Keep in sync with src/analyzer/protocol/dns/DNS.h SVCPARAM_Key.
=============================================================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: DNS::ANY
:source-code: base/protocols/dns/consts.zeek 9 9
:Type: :zeek:type:`count`
:Default: ``255``
A QTYPE value describing a request for all records.
.. zeek:id:: DNS::EDNS
:source-code: base/protocols/dns/consts.zeek 8 8
:Type: :zeek:type:`count`
:Default: ``41``
An OPT RR TYPE value described by EDNS.
.. zeek:id:: DNS::PTR
:source-code: base/protocols/dns/consts.zeek 7 7
:Type: :zeek:type:`count`
:Default: ``12``
RR TYPE value for a domain name pointer.
.. zeek:id:: DNS::algorithms
:source-code: base/protocols/dns/consts.zeek 154 154
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[254] = "PrivateOID",
[2] = "Diffie_Hellman",
[15] = "Ed25519",
[6] = "DSA_NSEC3_SHA1",
[14] = "ECDSA_curveP384withSHA384",
[16] = "Ed448",
[255] = "reserved255",
[8] = "RSA_SHA256",
[252] = "Indirect",
[253] = "PrivateDNS",
[1] = "RSA_MD5",
[5] = "RSA_SHA1",
[7] = "RSA_SHA1_NSEC3_SHA1",
[10] = "RSA_SHA512",
[4] = "Elliptic_Curve",
[12] = "GOST_R_34_10_2001",
[13] = "ECDSA_curveP256withSHA256",
[3] = "DSA_SHA1",
[0] = "reserved0"
}
Possible values of the algorithms used in DNSKEY, DS and RRSIG records
.. zeek:id:: DNS::base_errors
:source-code: base/protocols/dns/consts.zeek 107 107
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "BADMODE",
[3842] = "BADSIG",
[20] = "BADNAME",
[2] = "SERVFAIL",
[14] = "unassigned-14",
[15] = "unassigned-15",
[6] = "YXDOMAIN",
[16] = "BADVERS",
[8] = "NXRRSet",
[23] = "BADCOOKIE",
[9] = "NOTAUTH",
[1] = "FORMERR",
[11] = "unassigned-11",
[7] = "YXRRSET",
[5] = "REFUSED",
[10] = "NOTZONE",
[21] = "BADALG",
[4] = "NOTIMP",
[22] = "BADTRUNC",
[13] = "unassigned-13",
[12] = "unassigned-12",
[18] = "BADTIME",
[17] = "BADKEY",
[3] = "NXDOMAIN",
[0] = "NOERROR"
}
Errors used for non-TSIG/EDNS types.
.. zeek:id:: DNS::classes
:source-code: base/protocols/dns/consts.zeek 144 144
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[254] = "C_NONE",
[2] = "C_CSNET",
[3] = "C_CHAOS",
[255] = "C_ANY",
[4] = "C_HESIOD",
[1] = "C_INTERNET"
}
Possible values of the CLASS field in resource records or QCLASS
field in query messages.
.. zeek:id:: DNS::digests
:source-code: base/protocols/dns/consts.zeek 177 177
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[0] = "reserved0",
[2] = "SHA256",
[4] = "SHA384",
[1] = "SHA1",
[3] = "GOST_R_34_11_94"
}
Possible digest types used in DNSSEC.
.. zeek:id:: DNS::edns_zfield
:source-code: base/protocols/dns/consts.zeek 137 137
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = ``"?"``
:Default:
::
{
[0] = "NOVALUE",
[32768] = "DNS_SEC_OK"
}
This deciphers EDNS Z field values.
.. zeek:id:: DNS::query_types
:source-code: base/protocols/dns/consts.zeek 13 13
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "X25",
[20] = "ISDN",
[33] = "SRV",
[39] = "DNAME",
[30] = "NXT",
[46] = "RRSIG",
[15] = "MX",
[65422] = "XPF",
[28] = "AAAA",
[64] = "SVCB",
[106] = "L64",
[9] = "MR",
[253] = "MAILB",
[107] = "LP",
[53] = "SMIMEA",
[55] = "HIP",
[52] = "TLSA",
[251] = "IXFR",
[21] = "RT",
[4] = "MF",
[12] = "PTR",
[41] = "OPT",
[58] = "TALINK",
[17] = "RP",
[105] = "L32",
[254] = "MAILA",
[32768] = "TA",
[25] = "KEY",
[32769] = "DLV",
[65281] = "WINS",
[29] = "LOC",
[16] = "TXT",
[255] = "*",
[59] = "CDS",
[38] = "A6",
[252] = "AXFR",
[63] = "ZONEMD",
[42] = "APL",
[57] = "RKEY",
[1] = "A",
[11] = "WKS",
[35] = "NAPTR",
[108] = "EUI48",
[22] = "NSAP",
[256] = "URI",
[43] = "DS",
[102] = "GID",
[257] = "CAA",
[65521] = "INTEGRITY",
[3] = "MD",
[44] = "SSHFP",
[34] = "ATMA",
[45] = "IPSECKEY",
[40] = "SINK",
[36] = "KX",
[250] = "TSIG",
[14] = "MINFO",
[6] = "SOA",
[31] = "EID",
[23] = "NSAP-PTR",
[8] = "MG",
[27] = "GPOS",
[56] = "NINFO",
[7] = "MB",
[10] = "NULL",
[32] = "NIMLOC",
[13] = "HINFO",
[26] = "PX",
[65] = "HTTPS",
[62] = "CSYNC",
[101] = "UID",
[47] = "NSEC",
[50] = "NSEC3",
[2] = "NS",
[65282] = "WINS-R",
[48] = "DNSKEY",
[24] = "SIG",
[99] = "SPF",
[49] = "DHCID",
[109] = "EUI64",
[249] = "TKEY",
[103] = "UNSPEC",
[5] = "CNAME",
[104] = "NID",
[61] = "OPENPGPKEY",
[60] = "CDNSKEY",
[100] = "UINFO",
[51] = "NSEC3PARAM",
[37] = "CERT",
[18] = "AFSDB"
}
Mapping of DNS query type codes to human readable string
representation.
.. zeek:id:: DNS::svcparam_keys
:source-code: base/protocols/dns/consts.zeek 188 188
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "no-default-alpn",
[3] = "port",
[5] = "ech",
[0] = "mandatory",
[6] = "ipv6hint",
[4] = "ipv4hint",
[1] = "alpn"
}
SVCB/HTTPS SvcParam keys as defined in
https://datatracker.ietf.org/doc/html/rfc9460#name-initial-contents
Keep in sync with src/analyzer/protocol/dns/DNS.h SVCPARAM_Key.

25
doc/scripts/base/protocols/dns/index.rst Normal file
View file

@ -0,0 +1,25 @@
:orphan:
Package: base/protocols/dns
===========================
Support for Domain Name System (DNS) protocol analysis.
:doc:`/scripts/base/protocols/dns/__load__.zeek`
:doc:`/scripts/base/protocols/dns/consts.zeek`
Types, errors, and fields for analyzing DNS data. A helper file
for DNS analysis scripts.
:doc:`/scripts/base/protocols/dns/main.zeek`
Base DNS analysis script which tracks and logs DNS queries along with
their responses.
:doc:`/scripts/base/protocols/dns/check-event-handlers.zeek`
This script checks if DNS event handlers that will not be raised
are used and raises a warning in those cases.

377
doc/scripts/base/protocols/dns/main.zeek.rst Normal file
View file

@ -0,0 +1,377 @@
:tocdepth: 3
base/protocols/dns/main.zeek
============================
.. zeek:namespace:: DNS
Base DNS analysis script which tracks and logs DNS queries along with
their responses.
:Namespace: DNS
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/dns/consts.zeek </scripts/base/protocols/dns/consts.zeek>`, :doc:`base/utils/queue.zeek </scripts/base/utils/queue.zeek>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================= =======================================================================
:zeek:id:`DNS::max_pending_msgs`: :zeek:type:`count` :zeek:attr:`&redef` Give up trying to match pending DNS queries or replies for a given
query/transaction ID once this number of unmatched queries or replies
is reached (this shouldn't happen unless either the DNS server/resolver
is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
response is ongoing).
:zeek:id:`DNS::max_pending_query_ids`: :zeek:type:`count` :zeek:attr:`&redef` Give up trying to match pending DNS queries or replies across all
query/transaction IDs once there is at least one unmatched query or
reply across this number of different query IDs.
============================================================================= =======================================================================
Types
#####
===================================================== ================================================================
:zeek:type:`DNS::Info`: :zeek:type:`record` The record type which contains the column fields of the DNS log.
:zeek:type:`DNS::PendingMessages`: :zeek:type:`table` Yields a queue of :zeek:see:`DNS::Info` objects for a given
DNS message query/transaction ID.
:zeek:type:`DNS::State`: :zeek:type:`record` A record type which tracks the status of DNS queries for a given
:zeek:type:`connection`.
===================================================== ================================================================
Redefinitions
#############
==================================================================== ===========================================================
:zeek:type:`Log::ID`: :zeek:type:`enum` The DNS logging stream identifier.
* :zeek:enum:`DNS::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
dns: :zeek:type:`DNS::Info` :zeek:attr:`&optional`
dns_state: :zeek:type:`DNS::State` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ===========================================================
Events
######
=========================================== =================================================================
:zeek:id:`DNS::log_dns`: :zeek:type:`event` An event that can be handled to access the :zeek:type:`DNS::Info`
record as it is sent to the logging framework.
=========================================== =================================================================
Hooks
#####
============================================================ =================================================================
:zeek:id:`DNS::do_reply`: :zeek:type:`hook` This is called by the specific dns_*_reply events with a "reply"
which may not represent the full data available from the resource
record, but it's generally considered a summarization of the
responses.
:zeek:id:`DNS::finalize_dns`: :zeek:type:`Conn::RemovalHook` DNS finalization hook.
:zeek:id:`DNS::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
:zeek:id:`DNS::set_session`: :zeek:type:`hook` A hook that is called whenever a session is being set.
============================================================ =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: DNS::max_pending_msgs
:source-code: base/protocols/dns/main.zeek 126 126
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``50``
Give up trying to match pending DNS queries or replies for a given
query/transaction ID once this number of unmatched queries or replies
is reached (this shouldn't happen unless either the DNS server/resolver
is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
response is ongoing).
.. zeek:id:: DNS::max_pending_query_ids
:source-code: base/protocols/dns/main.zeek 131 131
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``50``
Give up trying to match pending DNS queries or replies across all
query/transaction IDs once there is at least one unmatched query or
reply across this number of different query IDs.
Types
#####
.. zeek:type:: DNS::Info
:source-code: base/protocols/dns/main.zeek 18 86
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
The earliest time at which a DNS protocol message over the
associated connection is observed.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
A unique identifier of the connection over which DNS messages
are being transferred.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log`
The transport layer protocol of the connection.
.. zeek:field:: trans_id :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
A 16-bit identifier assigned by the program that generated
the DNS query. Also used in responses to match up replies to
outstanding queries.
.. zeek:field:: rtt :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
Round trip time for the query and response. This indicates
the delay between when the request was seen until the
answer started.
.. zeek:field:: query :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The domain name that is the subject of the DNS query.
.. zeek:field:: qclass :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The QCLASS value specifying the class of the query.
.. zeek:field:: qclass_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A descriptive name for the class of the query.
.. zeek:field:: qtype :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
A QTYPE value specifying the type of the query.
.. zeek:field:: qtype_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A descriptive name for the type of the query.
.. zeek:field:: rcode :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The response code value in DNS response messages.
.. zeek:field:: rcode_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A descriptive name for the response code value.
.. zeek:field:: AA :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The Authoritative Answer bit for response messages specifies
that the responding name server is an authority for the
domain name in the question section.
.. zeek:field:: TC :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The Truncation bit specifies that the message was truncated.
.. zeek:field:: RD :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The Recursion Desired bit in a request message indicates that
the client wants recursive service for this query.
.. zeek:field:: RA :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The Recursion Available bit in a response message indicates
that the name server supports recursive queries.
.. zeek:field:: Z :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
A reserved field that is zero in queries and responses unless
using DNSSEC. This field represents the 3-bit Z field using
the specification from RFC 1035.
.. zeek:field:: answers :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The set of resource descriptions in the query answer.
.. zeek:field:: TTLs :zeek:type:`vector` of :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
The caching intervals of the associated RRs described by the
*answers* field.
.. zeek:field:: rejected :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The DNS query was rejected by the server.
.. zeek:field:: total_answers :zeek:type:`count` :zeek:attr:`&optional`
The total number of resource records in a reply message's
answer section.
.. zeek:field:: total_replies :zeek:type:`count` :zeek:attr:`&optional`
The total number of resource records in a reply message's
answer, authority, and additional sections.
.. zeek:field:: saw_query :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Whether the full DNS query has been seen.
.. zeek:field:: saw_reply :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Whether the full DNS reply has been seen.
.. zeek:field:: auth :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dns/auth-addl.zeek` is loaded)
Authoritative responses for the query.
.. zeek:field:: addl :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dns/auth-addl.zeek` is loaded)
Additional responses for the query.
.. zeek:field:: original_query :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dns/log-original-query-case.zeek` is loaded)
Query with original letter casing
The record type which contains the column fields of the DNS log.
.. zeek:type:: DNS::PendingMessages
:source-code: base/protocols/dns/main.zeek 119 119
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`Queue::Queue`
Yields a queue of :zeek:see:`DNS::Info` objects for a given
DNS message query/transaction ID.
.. zeek:type:: DNS::State
:source-code: base/protocols/dns/main.zeek 135 150
:Type: :zeek:type:`record`
.. zeek:field:: pending_query :zeek:type:`DNS::Info` :zeek:attr:`&optional`
A single query that hasn't been matched with a response yet.
Note this is maintained separate from the *pending_queries*
field solely for performance reasons -- it's possible that
*pending_queries* contains further queries for which a response
has not yet been seen, even for the same transaction ID.
.. zeek:field:: pending_queries :zeek:type:`DNS::PendingMessages` :zeek:attr:`&optional`
Indexed by query id, returns Info record corresponding to
queries that haven't been matched with a response yet.
.. zeek:field:: pending_replies :zeek:type:`DNS::PendingMessages` :zeek:attr:`&optional`
Indexed by query id, returns Info record corresponding to
replies that haven't been matched with a query yet.
A record type which tracks the status of DNS queries for a given
:zeek:type:`connection`.
Events
######
.. zeek:id:: DNS::log_dns
:source-code: base/protocols/dns/main.zeek 90 90
:Type: :zeek:type:`event` (rec: :zeek:type:`DNS::Info`)
An event that can be handled to access the :zeek:type:`DNS::Info`
record as it is sent to the logging framework.
Hooks
#####
.. zeek:id:: DNS::do_reply
:source-code: base/protocols/dns/main.zeek 104 104
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, reply: :zeek:type:`string`) : :zeek:type:`bool`
This is called by the specific dns_*_reply events with a "reply"
which may not represent the full data available from the resource
record, but it's generally considered a summarization of the
responses.
:param c: The connection record for which to fill in DNS reply data.
:param msg: The DNS message header information for the response.
:param ans: The general information of a RR response.
:param reply: The specific response information according to RR type/class.
.. zeek:id:: DNS::finalize_dns
:source-code: base/protocols/dns/main.zeek 643 658
:Type: :zeek:type:`Conn::RemovalHook`
DNS finalization hook. Remaining DNS info may get logged when it's called.
.. zeek:id:: DNS::log_policy
:source-code: base/protocols/dns/main.zeek 15 15
:Type: :zeek:type:`Log::PolicyHook`
A default logging policy hook for the stream.
.. zeek:id:: DNS::set_session
:source-code: base/protocols/dns/main.zeek 238 346
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, is_query: :zeek:type:`bool`) : :zeek:type:`bool`
A hook that is called whenever a session is being set.
This can be used if additional initialization logic needs to happen
when creating a new session value.
:param c: The connection involved in the new session.
:param msg: The DNS message header information.
:param is_query: Indicator for if this is being called for a query or a response.