Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

DNSSEC support in Bro

Browse source
This commit is contained in:
fatema 2018-09-05 14:12:07 -04:00
parent e055f9b36b
commit ff5c11975d
18 changed files with 1096 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

60
scripts/base/init-bare.bro
View file

@ -3544,6 +3544,66 @@ type dns_tsig_additional: record {
is_query: count; ##< TODO.
};
## A DNSSEC RRSIG record.
##
## .. bro:see:: dns_RRSIG_addl
type dns_rrsig_additional: record {
query: string; ##< Query.
answer_type: count; ##< Ans type.
type_covered: count; ## qtype covered by RRSIG RR.
algorithm: count; ##< Algorithm.
labels: count; ##< labels in the owner's name.
orig_ttl: interval; ##< original TTL
sig_exp: time; ##< Time when signed RR expires.
sig_incep: time; ##< Time when signed.
key_tag: count; ## key tag value
signer_name: string; ##< Signature.
signature: string; ##< Hash of the RRDATA
is_query: count; ##< The RR is a query/Response.
};
## A DNSSEC DNSKEY record.
##
## .. bro:see:: dns_DNSKEY_addl
type dns_dnskey_additional: record {
query: string; ##< Query.
answer_type: count; ##< Ans type.
flags: count; ##< flags filed.
protocol: count; ##< Protocol, should be always 3 for DNSSEC.
algorithm: count; ##< Algorithm for Public Key.
public_key: string; ##< Public Key
is_query: count; ##< The RR is a query/Response.
};
## A DNSSEC NSEC3 record.
##
## .. bro:see:: dns_NSEC3_addl
type dns_nsec3_additional: record {
query: string; ##< Query.
answer_type: count; ##< Ans type.
nsec_flags: count; ##< flags field.
nsec_hash_algo: count; ##< Hash algorithm.
nsec_iter: count; ##< Iterations.
nsec_salt_len: count; ##< salt length.
nsec_salt: string; ##< Salt value
nsec_hlen: count; ##< Hash length.
nsec_hash: string; ##< Hash value.
is_query: count; ##< The RR is a query/Response.
};
## A DNSSEC DS record.
##
## .. bro:see:: dns_DS_addl
type dns_ds_additional: record {
query: string; ##< Query.
answer_type: count; ##< Ans type.
key_tag: count; ##< flags filed.
algorithm: count; ##< Algorithm for Public Key.
digest_type: count; ##< Digest Type.
digest_val: string; ##< Digest Value.
is_query: count; ##< The RR is a query/Response.
};
# DNS answer types.
#
# .. bro:see:: dns_answerr

30
scripts/base/protocols/dns/consts.bro
View file

@ -76,4 +76,34 @@ export {
[254] = "C_NONE",
[255] = "C_ANY",
} &default = function(n: count): string { return fmt("qclass-%d", n); };
## Possible values of the algorithms used in DNSKEY, DS and RRSIG records
const algorithms = {
[0] = "reserved0",
[1] = "RSA_MD5",
[2] = "Diffie_Hellman",
[3] = "DSA_SHA1",
[4] = "Elliptic_Curve",
[5] = "RSA_SHA1",
[6] = "DSA_NSEC3_SHA1",
[7] = "RSA_SHA1_NSEC3_SHA1",
[8] = "RSA_SHA256",
[10] = "RSA_SHA512",
[12] = "GOST_R_34_10_2001",
[13] = "ECDSA_curveP256withSHA256",
[14] = "ECDSA_curveP384withSHA384",
[252] = "Indirect",
[253] = "PrivateDNS",
[254] = "PrivateOID",
[255] = "reserved255",
} &default = function(n: count): string { return fmt("algorithm-%d", n); };
const digests = {
[0] = "reserved0",
[1] = "SHA1",
[2] = "SHA256",
[3] = "GOST_R_34_11_94",
[4] = "SHA384",
} &default = function(n: count): string { return fmt("digest-%d", n); };
}

39
scripts/base/protocols/dns/main.bro
View file

@ -466,6 +466,45 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string
#
# }
event dns_RRSIG_addl(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_additional)
{
local rrsig_rec: string = fmt("RRSIG_Signer_%s", rrsig$signer_name);
if ( rrsig$signer_name == "")
rrsig_rec = fmt("RRSIG_Signer_<Root>");
hook DNS::do_reply(c, msg, ans, rrsig_rec);
}
event dns_DNSKEY_addl(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_additional)
{
local dnskey_rec: string = fmt("DNSKEY_for_%s", ans$query);
if (ans$query == "")
dnskey_rec = fmt("DNSKEY_for_<Root>");
hook DNS::do_reply(c, msg, ans, dnskey_rec);
}
event dns_NSEC_addl(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
{
hook DNS::do_reply(c, msg, ans, next_name);
}
event dns_NSEC3_addl(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_additional, bitmaps: string_vec)
{
local nsec3_rec: string = fmt("NSEC3_for_%s", ans$query);
if (ans$query == "")
nsec3_rec = fmt("NSEC3_for_<Root>");
hook DNS::do_reply(c, msg, ans, nsec3_rec);
}
event dns_DS_addl(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_additional)
{
local ds_rec: string = fmt("DS_for_%s", ans$query);
if (ans$query == "")
ds_rec = fmt("DS_for_<Root>");
hook DNS::do_reply(c, msg, ans, ds_rec);
}
event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
{
if ( c?$dns )

42
scripts/policy/protocols/dns/addl-dnskey.bro Normal file
View file

@ -0,0 +1,42 @@
##! This script adds additional fields for the DNSKEY dns response of current
##! query to the DNS log. It can cause severe overhead.
@load base/protocols/dns/main
@load base/protocols/dns/consts
redef dns_skip_all_auth = F;
redef dns_skip_all_addl = F;
module DNS;
export {
redef record Info += {
dnskey_flags: vector of count &log &optional;
dnskey_algo: vector of string &log &optional;
dnskey_proto: vector of count &log &optional;
dnskey_pubkey: vector of string &log &optional;
};
}
event dns_DNSKEY_addl(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_additional)
{
if ( c?$dns )
{
if ( ! c$dns?$dnskey_flags )
c$dns$dnskey_flags = vector();
c$dns$dnskey_flags[|c$dns$dnskey_flags|] = dnskey$flags;
if ( ! c$dns?$dnskey_algo )
c$dns$dnskey_algo = vector();
c$dns$dnskey_algo[|c$dns$dnskey_algo|] = DNS::algorithms[dnskey$algorithm];
if ( ! c$dns?$dnskey_proto )
c$dns$dnskey_proto = vector();
c$dns$dnskey_proto[|c$dns$dnskey_proto|] = dnskey$protocol;
if ( ! c$dns?$dnskey_pubkey)
c$dns$dnskey_pubkey = vector();
c$dns$dnskey_pubkey[|c$dns$dnskey_pubkey|] = bytestring_to_hexstr(dnskey$public_key);
}
}

42
scripts/policy/protocols/dns/addl-ds.bro Normal file
View file

@ -0,0 +1,42 @@
##! This script adds additional fields for the DS dns response of current
##! query to the DNS log. It can cause severe overhead.
@load base/protocols/dns/main
@load base/protocols/dns/consts
redef dns_skip_all_auth = F;
redef dns_skip_all_addl = F;
module DNS;
export {
redef record Info += {
ds_key_tag: vector of count &log &optional;
ds_algo: vector of string &log &optional;
ds_digestType: vector of string &log &optional;
ds_digest: vector of string &log &optional;
};
}
event dns_DS_addl(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_additional)
{
if ( c?$dns )
{
if ( ! c$dns?$ds_key_tag )
c$dns$ds_key_tag = vector();
c$dns$ds_key_tag[|c$dns$ds_key_tag|] = ds$key_tag;
if ( ! c$dns?$ds_algo )
c$dns$ds_algo = vector();
c$dns$ds_algo[|c$dns$ds_algo|] = DNS::algorithms[ds$algorithm];
if ( ! c$dns?$ds_digestType )
c$dns$ds_digestType = vector();
c$dns$ds_digestType[|c$dns$ds_digestType|] = DNS::digests[ds$digest_type];
if ( ! c$dns?$ds_digest)
c$dns$ds_digest = vector();
c$dns$ds_digest[|c$dns$ds_digest|] = bytestring_to_hexstr(ds$digest_val);
}
}

76
scripts/policy/protocols/dns/addl-nsec3.bro Normal file
View file

@ -0,0 +1,76 @@
##! This script adds additional fields for the NSEC3 dns response of current
##! query to the DNS log. It can cause severe overhead.
@load base/protocols/dns/main
@load base/protocols/dns/consts
redef dns_skip_all_auth = F;
redef dns_skip_all_addl = F;
module DNS;
export {
redef record Info += {
nsec_flags: vector of count &log &optional;
nsec_hash_algo: vector of count &log &optional;
nsec_iter: vector of count &log &optional;
nsec_salt_len: vector of count &log &optional;
nsec_salt: vector of string &log &optional;
nsec_hlen: vector of count &log &optional;
nsec_hash: vector of string &log &optional;
nsec_bitmaps: vector of string &log &optional;
};
}
event dns_NSEC3_addl(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_additional, bitmaps: string_vec)
{
if ( c?$dns )
{
if ( ! c$dns?$nsec_flags )
c$dns$nsec_flags = vector();
c$dns$nsec_flags[|c$dns$nsec_flags|] = nsec3$nsec_flags;
if ( ! c$dns?$nsec_hash_algo )
c$dns$nsec_hash_algo = vector();
c$dns$nsec_hash_algo[|c$dns$nsec_hash_algo|] = nsec3$nsec_hash_algo;
if ( ! c$dns?$nsec_iter )
c$dns$nsec_iter = vector();
c$dns$nsec_iter[|c$dns$nsec_iter|] = nsec3$nsec_iter;
if ( ! c$dns?$nsec_salt_len)
c$dns$nsec_salt_len = vector();
c$dns$nsec_salt_len[|c$dns$nsec_salt_len|] = nsec3$nsec_salt_len;
if ( ! c$dns?$nsec_salt)
c$dns$nsec_salt = vector();
c$dns$nsec_salt[|c$dns$nsec_salt|] = bytestring_to_hexstr(nsec3$nsec_salt);
if ( ! c$dns?$nsec_hlen)
c$dns$nsec_hlen = vector();
c$dns$nsec_hlen[|c$dns$nsec_hlen|] = nsec3$nsec_hlen;
if ( ! c$dns?$nsec_hash)
c$dns$nsec_hash = vector();
c$dns$nsec_hash[|c$dns$nsec_hash|] = bytestring_to_hexstr(nsec3$nsec_hash);
if ( ! c$dns?$nsec_bitmaps)
c$dns$nsec_bitmaps = vector();
if ( |bitmaps| != 0)
{
local bitmap_strings: string = "";
for ( i in bitmaps )
{
if ( i > 0 )
bitmap_strings += " ";
bitmap_strings += fmt("bitmap %d %s", |bitmaps[i]|, bitmaps[i]);
}
c$dns$nsec_bitmaps[|c$dns$nsec_bitmaps|] = bitmap_strings;
}
}
}

64
scripts/policy/protocols/dns/addl-rrsig.bro Normal file
View file

@ -0,0 +1,64 @@
##! This script adds additional fields corresponding to the RRSIG record responses for the current
##! query to the DNS log. It can cause severe overhead.
@load base/protocols/dns/main
@load base/protocols/dns/consts
module DNS;
export {
redef record Info += {
rrsig_type_covered: vector of string &log &optional;
rrsig_orig_ttl: vector of interval &log &optional;
rrsig_key_tag: vector of count &log &optional;
rrsig_algo: vector of string &log &optional;
rrsig_labels: vector of count &log &optional;
rrsig_signer_name: vector of string &log &optional;
rrsig_signature: vector of string &log &optional;
rrsig_sig_exp: vector of time &log &optional;
rrsig_sig_inc: vector of time &log &optional;
};
}
event dns_RRSIG_addl(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_additional)
{
if ( c?$dns )
{
if ( ! c$dns?$rrsig_type_covered )
c$dns$rrsig_type_covered = vector();
c$dns$rrsig_type_covered[|c$dns$rrsig_type_covered|] = DNS::query_types[rrsig$type_covered];
if ( ! c$dns?$rrsig_orig_ttl )
c$dns$rrsig_orig_ttl = vector();
c$dns$rrsig_orig_ttl[|c$dns$rrsig_orig_ttl|] = rrsig$orig_ttl;
if ( ! c$dns?$rrsig_key_tag )
c$dns$rrsig_key_tag = vector();
c$dns$rrsig_key_tag[|c$dns$rrsig_key_tag|] = rrsig$key_tag;
if ( ! c$dns?$rrsig_algo )
c$dns$rrsig_algo = vector();
c$dns$rrsig_algo[|c$dns$rrsig_algo|] = DNS::algorithms[rrsig$algorithm];
if ( ! c$dns?$rrsig_labels )
c$dns$rrsig_labels = vector();
c$dns$rrsig_labels[|c$dns$rrsig_labels|] = rrsig$labels;
if ( ! c$dns?$rrsig_signer_name )
c$dns$rrsig_signer_name = vector();
c$dns$rrsig_signer_name[|c$dns$rrsig_signer_name|] = rrsig$signer_name;
if ( ! c$dns?$rrsig_signature )
c$dns$rrsig_signature = vector();
c$dns$rrsig_signature[|c$dns$rrsig_signature|] = bytestring_to_hexstr(rrsig$signature);
if ( ! c$dns?$rrsig_sig_exp )
c$dns$rrsig_sig_exp = vector();
c$dns$rrsig_sig_exp[|c$dns$rrsig_sig_exp|] = rrsig$sig_exp;
if ( ! c$dns?$rrsig_sig_inc )
c$dns$rrsig_sig_inc = vector();
c$dns$rrsig_sig_inc[|c$dns$rrsig_sig_inc|] = rrsig$sig_incep;
}
}