mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
00a4865885
Changes during merge - Changed the policy script to use an event handler that behaves for like the base script: &priority=5, msg$opcode != early-out, no record field existence checks - Also extended dns_query_reply event with original_query param - Removed ExtractName overload, and just use default param * 'dns-original-query-case' of https://github.com/rvictory/zeek: Fixed some places where tabs became spaces Stricter checking if we have a dns field on the connection being processed Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both.
22 lines
505 B
Text
22 lines
505 B
Text
##! This script adds the query with its original letter casing
|
|
##! to the DNS log.
|
|
|
|
@load base/protocols/dns/main
|
|
|
|
module DNS;
|
|
|
|
export {
|
|
redef record Info += {
|
|
## Query with original letter casing
|
|
original_query: string &log &optional;
|
|
};
|
|
}
|
|
|
|
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string) &priority=5
|
|
{
|
|
if ( msg$opcode != 0 )
|
|
# Currently only standard queries are tracked.
|
|
return;
|
|
|
|
c$dns$original_query = original_query;
|
|
}
|