mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
7a1a2c8d63
This commit builds on top of GH-4183 and adds IPv6 support for policy/protocols/dns/detect-external-names. Additionally it adds a test-case for this file testing it with mDNS queries.
51 lines
1.5 KiB
Text
51 lines
1.5 KiB
Text
##! This script detects names which are not within zones considered to be
|
|
##! local but resolving to addresses considered local.
|
|
##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for
|
|
##! this detection.
|
|
|
|
@load base/frameworks/notice
|
|
@load base/utils/site
|
|
|
|
module DNS;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## Raised when a non-local name is found to be pointing at a
|
|
## local host. The :zeek:id:`Site::local_zones` variable
|
|
## **must** be set appropriately for this detection.
|
|
External_Name,
|
|
};
|
|
|
|
## Default is to ignore mDNS broadcasts.
|
|
option skip_resp_host_port_pairs: set[addr, port] = { [[224.0.0.251, [ff02::fb]], 5353/udp] };
|
|
}
|
|
|
|
function detect_external_names(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
|
|
{
|
|
if ( |Site::local_zones| == 0 )
|
|
return;
|
|
|
|
if ( [c$id$resp_h, c$id$resp_p] in skip_resp_host_port_pairs )
|
|
return;
|
|
|
|
# Check for responses from remote hosts that point at local hosts
|
|
# but the name is not considered to be within a "local" zone.
|
|
if ( Site::is_local_addr(a) && # referring to a local host
|
|
! Site::is_local_name(ans$query) ) # name isn't in a local zone.
|
|
{
|
|
NOTICE([$note=External_Name,
|
|
$msg=fmt("%s is pointing to a local host - %s.", ans$query, a),
|
|
$conn=c,
|
|
$identifier=cat(a,ans$query)]);
|
|
}
|
|
}
|
|
|
|
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
|
|
{
|
|
detect_external_names(c, msg, ans, a);
|
|
}
|
|
|
|
event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
|
|
{
|
|
detect_external_names(c, msg, ans, a);
|
|
}
|