Merge remote-tracking branch 'origin/topic/bbannier/issue-10'

zeek · Sep 15, 2023 · 16bc483 · 16bc483
2 parents e2e0e45 + 493b266
commit 16bc483
Show file tree

Hide file tree

Showing 12 changed files with 49 additions and 7 deletions.
diff --git a/analyzer/analyzer.spicy b/analyzer/analyzer.spicy
@@ -77,10 +77,10 @@ type ResourceRecord = unit(msg: Message, rrtype: RRType) {
         RDType::MX   -> mx:      RDataMX(msg);
         RDType::SOA  -> soa:     RDataSOA(msg);
         RDType::SRV  -> srv:     RDataSRV(msg);
-        RDType::TXT  -> txt:     (CharacterString(msg))[self.rdlen];
+        RDType::TXT  -> txt:     (CharacterString(msg))[] &eod;
 
-        *            -> rdata:   bytes &size=self.rdlen;
-    };
+        *            -> rdata:   bytes &eod;
+    } &size=self.rdlen;
 };
 
 type RDataMX = unit(msg: Message) {

diff --git a/tests/analyzer/issue-10.zeek b/tests/analyzer/issue-10.zeek
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -r ${TRACES}/issue-10.pcap %INPUT
+# @TEST-EXEC: zeek-cut -cm uid service < conn.log > conn
+# @TEST-EXEC: btest-diff conn
+# @TEST-EXEC: btest-diff dns.log
diff --git a/tests/analyzer/issue-11.zeek b/tests/analyzer/issue-11.zeek
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -r ${TRACES}/issue-11.pcap %INPUT
+# @TEST-EXEC: zeek-cut -cm uid service < conn.log > conn
+# @TEST-EXEC: btest-diff conn
+# @TEST-EXEC: btest-diff dns.log
diff --git a/tests/analyzer/svr.zeek b/tests/analyzer/svr.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: zeek -r ${TRACES}/dns-svr.pcap %INPUT >output
-#     Zeek 3.0 prints intervals differently, leading to a change in TTL; not worth worrying about, so we just skip the diff for 3.0.
-# @TEST-EXEC: if zeek-version 40000; then btest-diff output; fi
+# Zeek 6.0 prints also includes `AD` and `CD` bits in `dns_msg` which leads to a difference in the baselines.
+# @TEST-EXEC: if zeek-version 60000; then btest-diff output; fi
 #
 # @TEST-DOC: Test the DNS SVR event.
 

diff --git a/tests/baseline/analyzer.issue-10/conn b/tests/baseline/analyzer.issue-10/conn
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+### NOTE: This file has been sorted with diff-sort.
+CHhAvVGS1DHFjwGM9	dns
+uid	service
diff --git a/tests/baseline/analyzer.issue-10/dns.log b/tests/baseline/analyzer.issue-10/dns.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+### NOTE: This file has been sorted with diff-sort.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+#close XXXX-XX-XX-XX-XX-XX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	157.97.168.103	50496	87.215.12.61	53	udp	12448	0.000307	_dmarc.offensive-operations.nl	1	C_INTERNET	16	TXT	0	NOERROR	T	F	F	F	1	TXT 9 v=DMARC1; TXT 9 p=reject; TXT 26 rua=mailto:[email protected]; TXT 26 ruf=mailto:[email protected]; TXT 10 sp=reject; TXT 8 adkim=s; TXT 5 fo=1;	28800.000000	F
diff --git a/tests/baseline/analyzer.issue-11/conn b/tests/baseline/analyzer.issue-11/conn
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+### NOTE: This file has been sorted with diff-sort.
+CHhAvVGS1DHFjwGM9	dns
+uid	service
diff --git a/tests/baseline/analyzer.issue-11/dns.log b/tests/baseline/analyzer.issue-11/dns.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+### NOTE: This file has been sorted with diff-sort.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+#close XXXX-XX-XX-XX-XX-XX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.50	5353	224.0.0.251	5353	udp	0	0.150999	_sleep-proxy._udp.local	1	C_INTERNET	12	PTR	0	NOERROR	T	F	F	F	0	TXT 12 model=J181AP,TXT 22 rpBA=AA:54:05:F9:EF:07 TXT 11 rpVr=440.10 TXT 17 rpAD=949db59a9fb3,_rdlink._tcp.local,mascon’s ipad._rdlink._tcp.local,mascons-ipad.local,TXT 7 rpMac=0 TXT 17 rpHN=f48bebe6fe3a TXT 12 rpFl=0x30000 TXT 17 rpHA=0716147f6c6f TXT 11 rpVr=440.10 TXT 17 rpAD=949db59a9fb3 TXT 17 rpHI=8685158a2d49 TXT 22 rpBA=AA:54:05:F9:EF:07,_companion-link._tcp.local,mascon’s ipad._companion-link._tcp.local,mascons-ipad.local,fe80::412:f623:e0cf:4f22,10.151.84.50,fd95:aae3:a235:42e7:1ce3:36a1:1c1a:c801	4500.000000,4500.000000,4500.000000,4500.000000,120.000000,4500.000000,4500.000000,4500.000000,120.000000,120.000000,120.000000,120.000000	F
diff --git a/tests/baseline/analyzer.svr/output b/tests/baseline/analyzer.svr/output
@@ -1,4 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ### NOTE: This file has been sorted with diff-sort.
-[orig_h=192.168.7.105, orig_p=54488/udp, resp_h=1.1.1.1, resp_p=53/udp], [id=19549, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=0, num_addl=1], [answer_type=1, query=_sip._udp.sip.voice.google.com, qtype=33, qclass=1, TTL=4.0 mins 10.0 secs], sip-anycast-1.voice.google.com, 10, 1, 5060
-[orig_h=192.168.7.105, orig_p=54488/udp, resp_h=1.1.1.1, resp_p=53/udp], [id=19549, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=0, num_addl=1], [answer_type=1, query=_sip._udp.sip.voice.google.com, qtype=33, qclass=1, TTL=4.0 mins 10.0 secs], sip-anycast-2.voice.google.com, 20, 1, 5060
+[orig_h=192.168.7.105, orig_p=54488/udp, resp_h=1.1.1.1, resp_p=53/udp], [id=19549, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=2, num_auth=0, num_addl=1], [answer_type=1, query=_sip._udp.sip.voice.google.com, qtype=33, qclass=1, TTL=4.0 mins 10.0 secs], sip-anycast-1.voice.google.com, 10, 1, 5060
+[orig_h=192.168.7.105, orig_p=54488/udp, resp_h=1.1.1.1, resp_p=53/udp], [id=19549, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=2, num_auth=0, num_addl=1], [answer_type=1, query=_sip._udp.sip.voice.google.com, qtype=33, qclass=1, TTL=4.0 mins 10.0 secs], sip-anycast-2.voice.google.com, 20, 1, 5060
diff --git a/tests/traces/README b/tests/traces/README
@@ -5,3 +5,5 @@ We collect them here for convenience only.
 
 - [dns53.pcap](https://github.com/zeek/zeek/blob/master/testing/btest/Traces/dns53.pcap)
 - dns-svr.pcap (self-made)
+- [issue-10.pcap](https://github.com/zeek/spicy-dns/issues/10#issuecomment-1717319651)
+- [issue-11.pcap](https://github.com/zeek/spicy-dns/issues/11#issue-1894086855)
diff --git a/tests/traces/issue-10.pcap b/tests/traces/issue-10.pcap
diff --git a/tests/traces/issue-11.pcap b/tests/traces/issue-11.pcap