mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 09:08:20 +00:00
107 lines
2.8 KiB
Text
107 lines
2.8 KiB
Text
# $Id:$
|
|
|
|
@load dns
|
|
@load anon
|
|
|
|
module DNS;
|
|
|
|
redef rewriting_dns_trace = T;
|
|
|
|
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
|
|
{
|
|
if ( get_conn_transport_proto(c$id) == udp )
|
|
rewrite_dns_message(c, is_orig, msg, len);
|
|
}
|
|
|
|
event dns_request(c: connection, msg: dns_msg, query: string,
|
|
qtype: count, qclass: count)
|
|
{
|
|
if ( get_conn_transport_proto(c$id) == udp )
|
|
rewrite_dns_request(c, anonymize_host(query),
|
|
msg, qtype, qclass);
|
|
}
|
|
|
|
event dns_end(c: connection, msg: dns_msg)
|
|
{
|
|
if ( get_conn_transport_proto(c$id) == udp )
|
|
rewrite_dns_end(c, T);
|
|
}
|
|
|
|
event dns_query_reply(c: connection, msg: dns_msg, query: string,
|
|
qtype: count, qclass: count)
|
|
{
|
|
rewrite_dns_reply_question(c, msg, anonymize_host(query),
|
|
qtype, qclass);
|
|
}
|
|
|
|
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
|
|
{
|
|
ans$query = anonymize_host(ans$query);
|
|
rewrite_dns_A_reply(c, msg, ans, anonymize_address(a, c$id));
|
|
}
|
|
|
|
#### FIXME: ANONYMIZE!
|
|
event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer,
|
|
a: addr, astr: string)
|
|
{
|
|
ans$query = anonymize_host(ans$query);
|
|
astr = "::";
|
|
a = anonymize_address(a, c$id);
|
|
rewrite_dns_AAAA_reply(c, msg, ans, a, astr);
|
|
}
|
|
|
|
event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
|
|
{
|
|
ans$query = anonymize_host(ans$query);
|
|
rewrite_dns_NS_reply(c, msg, ans, anonymize_host(name));
|
|
}
|
|
|
|
event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer,
|
|
name: string)
|
|
{
|
|
ans$query = anonymize_host(ans$query);
|
|
rewrite_dns_CNAME_reply(c, msg, ans, anonymize_host(name));
|
|
}
|
|
|
|
event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer,
|
|
name: string, preference: count)
|
|
{
|
|
ans$query = anonymize_host(ans$query);
|
|
rewrite_dns_MX_reply(c, msg, ans, anonymize_host(name), preference);
|
|
}
|
|
|
|
event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
|
|
{
|
|
ans$query = anonymize_host(ans$query);
|
|
rewrite_dns_PTR_reply(c, msg, ans, anonymize_host(name));
|
|
}
|
|
|
|
event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)
|
|
{
|
|
soa$mname = anonymize_host(soa$mname);
|
|
soa$rname = anonymize_host(soa$rname);
|
|
ans$query = anonymize_host(ans$query);
|
|
rewrite_dns_SOA_reply(c, msg, ans, soa);
|
|
}
|
|
|
|
event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer,
|
|
str: string)
|
|
{
|
|
str = anonymize_string(str);
|
|
ans$query = anonymize_host(ans$query);
|
|
rewrite_dns_TXT_reply(c, msg, ans, str);
|
|
}
|
|
|
|
event dns_EDNS_addl (c: connection, msg: dns_msg, ans: dns_edns_additional)
|
|
{
|
|
rewrite_dns_EDNS_addl(c, msg, ans);
|
|
}
|
|
|
|
event dns_rejected(c: connection, msg: dns_msg, query: string,
|
|
qtype: count, qclass: count)
|
|
{
|
|
#### Hmmm, this is probably not right - we are going to have to look
|
|
# at the question type to determine how to anonymize this.
|
|
rewrite_dns_reply_question(c, msg, anonymize_host(query),
|
|
qtype, qclass);
|
|
}
|