mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
65 lines
1.4 KiB
Text
65 lines
1.4 KiB
Text
# $Id: dns-lookup.bro 340 2004-09-09 06:38:27Z vern $
|
|
|
|
@load notice
|
|
|
|
redef enum Notice += {
|
|
DNS_MappingChanged, # some sort of change WRT previous Bro lookup
|
|
};
|
|
|
|
const dns_interesting_changes = {
|
|
"unverified", "old name", "new name", "mapping",
|
|
} &redef;
|
|
|
|
function dump_dns_mapping(msg: string, dm: dns_mapping): bool
|
|
{
|
|
if ( msg in dns_interesting_changes ||
|
|
127.0.0.1 in dm$addrs )
|
|
{
|
|
local req = dm$req_host == "" ?
|
|
fmt("%As", dm$req_addr) : dm$req_host;
|
|
NOTICE([$note=DNS_MappingChanged,
|
|
$msg=fmt("DNS %s: %s/%s %s-> %As", msg, req,
|
|
dm$hostname, dm$valid ?
|
|
"" : "(invalid) ", dm$addrs),
|
|
$sub=msg]);
|
|
|
|
return T;
|
|
}
|
|
else
|
|
return F;
|
|
}
|
|
|
|
event dns_mapping_valid(dm: dns_mapping)
|
|
{
|
|
dump_dns_mapping("valid", dm);
|
|
}
|
|
|
|
event dns_mapping_unverified(dm: dns_mapping)
|
|
{
|
|
dump_dns_mapping("unverified", dm);
|
|
}
|
|
|
|
event dns_mapping_new_name(dm: dns_mapping)
|
|
{
|
|
dump_dns_mapping("new name", dm);
|
|
}
|
|
|
|
event dns_mapping_lost_name(dm: dns_mapping)
|
|
{
|
|
dump_dns_mapping("lost name", dm);
|
|
}
|
|
|
|
event dns_mapping_name_changed(old_dm: dns_mapping, new_dm: dns_mapping)
|
|
{
|
|
if ( dump_dns_mapping("old name", old_dm) )
|
|
dump_dns_mapping("new name", new_dm);
|
|
}
|
|
|
|
event dns_mapping_altered(dm: dns_mapping,
|
|
old_addrs: set[addr], new_addrs: set[addr])
|
|
{
|
|
if ( dump_dns_mapping("mapping", dm) )
|
|
NOTICE([$note=DNS_MappingChanged,
|
|
$msg=fmt("changed addresses: %As -> %As", old_addrs, new_addrs),
|
|
$sub="changed addresses"]);
|
|
}
|