zeek/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
Jon Siwek 0e0e74e49c Improve DNS analysis.
- Fix parsing of empty question sections (when QDCOUNT == 0).  In this
  case, the DNS parser would extract two 2-byte fields for use in either
  "dns_query_reply" or "dns_rejected" events (dependent on value of
  RCODE) as qclass and qtype parameters.  This is not correct, because
  such fields don't actually exist in the DNS message format when
  QDCOUNT is 0.  As a result, these events are no longer raised when
  there's an empty question section.  Scripts that depends on checking
  for an empty question section can do that in the "dns_message" event.

- Add a new "dns_unknown_reply" event, for when Bro does not know how
  to fully parse a particular resource record type.  This helps fix a
  problem in the default DNS scripts where the logic to complete
  request-reply pair matching doesn't work because it's waiting on more
  RR events to complete the reply.  i.e. it expects ANCOUNT number of
  dns_*_reply events and will wait until it gets that many before
  completing a request-reply pair and logging it to dns.log.  This could
  cause bogus replies to match a previous request if they happen to
  share a DNS transaction ID.
2014-01-28 11:04:01 -06:00

30 lines
1.6 KiB
Text

.. rst-class:: btest-cmd
.. code-block:: none
:linenos:
:emphasize-lines: 1,1
# bro -r wikipedia.trace
.. rst-class:: btest-include
.. code-block:: guess
:linenos:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2013-10-07-23-48-15
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1300475167.096535 CXWv6p3arKYeMETxOg 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 73 0 0 (empty)
1300475167.097012 CjhGID4nQcgTWjvg4c fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - 0 D 1 199 0 0 (empty)
1300475167.099816 CCvvfg3TEfuqmmG4bh 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 179 0 0 (empty)
1300475168.853899 CPbrpk1qSsw6ESzHV4 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - 0 Dd 1 66 1 117 (empty)
1300475168.854378 C6pKV8GSxOnSLghOa 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - 0 Dd 1 80 1 127 (empty)
1300475168.854837 CIPOse170MGiRM1Qf4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - 0 Dd 1 66 1 211 (empty)
1300475168.857956 CMXxB5GvmoxJFXdTa 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - 0 Dd 1 66 1 117 (empty)
[...]