Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add opcode/opcode_name to DNS log record

Browse source
This commit is contained in:
Tim Wojtulewicz 2025-09-09 13:57:20 -07:00
parent 26ada4b897
commit fa6eb6c928
31 changed files with 153 additions and 118 deletions
Download patch file Download diff file Expand all files Collapse all files

15
scripts/base/protocols/dns/main.zeek
View file

@ -71,6 +71,10 @@ export {
TTLs: vector of interval &log &optional;
## The DNS query was rejected by the server.
rejected: bool &log &default=F;
## The opcode value of the DNS request/response.
opcode: count &log &optional;
## A descriptive string for the opcode.
opcode_name: string &log &optional;
## The total number of resource records in a reply message's
## answer section.
@ -343,11 +347,20 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
if ( msg$rcode != 0 && msg$num_queries == 0 )
c$dns$rejected = T;
}
c$dns$opcode = msg$opcode;
if ( msg$is_netbios )
if ( msg$opcode >= 5 )
c$dns$opcode_name = opcodes[msg$opcode + 0xFFFF];
else
c$dns$opcode_name = fmt("netbios-%s", opcodes[msg$opcode]);
else
c$dns$opcode_name = opcodes[msg$opcode];
}
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
{
if ( msg$opcode != 0 )
if ( msg$opcode != 0 && msg$opcode != 5 )
# Currently only standard queries are tracked.
return;