DNSSEC support in Bro

2025-10-05 08:08:19 +00:00 · 2018-09-05 14:12:07 -04:00 · 2018-09-05 14:12:07 -04:00 · ff5c11975d
commit ff5c11975d
parent e055f9b36b
18 changed files with 1096 additions and 7 deletions
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@ -76,4 +76,34 @@ export {
 		[254] = "C_NONE",
 		[255] = "C_ANY",
 	} &default = function(n: count): string { return fmt("qclass-%d", n); };
+	
+	## Possible values of the algorithms used in DNSKEY, DS and RRSIG records
+	const algorithms = {
+		[0] = "reserved0",
+    		[1] = "RSA_MD5",         
+    		[2] = "Diffie_Hellman",	
+    		[3] = "DSA_SHA1",	
+    		[4] = "Elliptic_Curve",
+    		[5] = "RSA_SHA1",	
+    		[6] = "DSA_NSEC3_SHA1",
+    		[7] = "RSA_SHA1_NSEC3_SHA1",
+    		[8] = "RSA_SHA256",
+    		[10] = "RSA_SHA512",
+    		[12] = "GOST_R_34_10_2001",
+    		[13] = "ECDSA_curveP256withSHA256",
+    		[14] = "ECDSA_curveP384withSHA384",
+    		[252] = "Indirect",	
+    		[253] = "PrivateDNS",	
+    		[254] = "PrivateOID",	
+    		[255] = "reserved255",
+        } &default = function(n: count): string { return fmt("algorithm-%d", n); };
+
+	const digests = {
+                [0] = "reserved0",
+                [1] = "SHA1",
+                [2] = "SHA256",
+                [3] = "GOST_R_34_11_94",
+                [4] = "SHA384",
+        } &default = function(n: count): string { return fmt("digest-%d", n); };
+
 }
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -466,6 +466,45 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string
 #
 #	}

+event dns_RRSIG_addl(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_additional)
+        {
+        local rrsig_rec: string = fmt("RRSIG_Signer_%s", rrsig$signer_name);
+        if ( rrsig$signer_name == "")
+                rrsig_rec = fmt("RRSIG_Signer_<Root>");
+
+        hook DNS::do_reply(c, msg, ans, rrsig_rec);
+        }
+
+event dns_DNSKEY_addl(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_additional)
+        {
+        local dnskey_rec: string = fmt("DNSKEY_for_%s", ans$query);
+        if (ans$query == "")
+                dnskey_rec = fmt("DNSKEY_for_<Root>");
+        hook DNS::do_reply(c, msg, ans, dnskey_rec);
+        }
+
+event dns_NSEC_addl(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+        {
+        hook DNS::do_reply(c, msg, ans, next_name);
+        }
+
+event dns_NSEC3_addl(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_additional, bitmaps: string_vec)
+        {
+        local nsec3_rec: string = fmt("NSEC3_for_%s", ans$query);
+        if (ans$query == "")
+                nsec3_rec = fmt("NSEC3_for_<Root>");
+
+        hook DNS::do_reply(c, msg, ans, nsec3_rec);
+        }
+
+event dns_DS_addl(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_additional)
+        {
+        local ds_rec: string = fmt("DS_for_%s", ans$query);
+        if (ans$query == "")
+                ds_rec = fmt("DS_for_<Root>");
+        hook DNS::do_reply(c, msg, ans, ds_rec);
+        }
+
 event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
 	if ( c?$dns )