mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 07:08:19 +00:00
0e0e74e49c
- Fix parsing of empty question sections (when QDCOUNT == 0). In this case, the DNS parser would extract two 2-byte fields for use in either "dns_query_reply" or "dns_rejected" events (dependent on value of RCODE) as qclass and qtype parameters. This is not correct, because such fields don't actually exist in the DNS message format when QDCOUNT is 0. As a result, these events are no longer raised when there's an empty question section. Scripts that depends on checking for an empty question section can do that in the "dns_message" event. - Add a new "dns_unknown_reply" event, for when Bro does not know how to fully parse a particular resource record type. This helps fix a problem in the default DNS scripts where the logic to complete request-reply pair matching doesn't work because it's waiting on more RR events to complete the reply. i.e. it expects ANCOUNT number of dns_*_reply events and will wait until it gets that many before completing a request-reply pair and logging it to dns.log. This could cause bogus replies to match a previous request if they happen to share a DNS transaction ID. |
||
|---|---|---|
| .. | ||
| conn | ||
| dhcp | ||
| dnp3 | ||
| dns | ||
| ftp | ||
| http | ||
| irc | ||
| modbus | ||
| pop3 | ||
| smtp | ||
| socks | ||
| ssh | ||
| ssl | ||
| syslog | ||
| tunnels | ||