[Bro-Dev] [JIRA] (BIT-1156) DNS analyzer parses TXT records imcompletely
[ https://bro-tracker.atlassian.net/browse/BIT-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1156: --- Assignee: Jon Siwek (was: Robin Sommer) DNS analyzer parses TXT records imcompletely Key: BIT-1156 URL: https://bro-tracker.atlassian.net/browse/BIT-1156 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Jon Siwek Fix For: 2.3 The payload of DNS TXT records can consist of multiple character strings but the DNS analyzer parses out only the first. We should parse them out all and then probably concatenate into a single string to pass to the event, separated with semicolons or something. I have a trace with an example but it would need anonymization before inclusion into the test suite. -- This message was sent by Atlassian JIRA (v6.3-OD-02-026#6318) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1156) DNS analyzer parses TXT records imcompletely
[ https://bro-tracker.atlassian.net/browse/BIT-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1156: --- Status: Merge Request (was: Open) DNS analyzer parses TXT records imcompletely Key: BIT-1156 URL: https://bro-tracker.atlassian.net/browse/BIT-1156 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Jon Siwek Fix For: 2.3 The payload of DNS TXT records can consist of multiple character strings but the DNS analyzer parses out only the first. We should parse them out all and then probably concatenate into a single string to pass to the event, separated with semicolons or something. I have a trace with an example but it would need anonymization before inclusion into the test suite. -- This message was sent by Atlassian JIRA (v6.3-OD-02-026#6318) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1156) DNS analyzer parses TXT records imcompletely
[ https://bro-tracker.atlassian.net/browse/BIT-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=16219#comment-16219 ] Jon Siwek commented on BIT-1156: topic/jsiwek/bit-1156 in bro, bro-testing, bro-testing-private DNS analyzer parses TXT records imcompletely Key: BIT-1156 URL: https://bro-tracker.atlassian.net/browse/BIT-1156 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Jon Siwek Fix For: 2.3 The payload of DNS TXT records can consist of multiple character strings but the DNS analyzer parses out only the first. We should parse them out all and then probably concatenate into a single string to pass to the event, separated with semicolons or something. I have a trace with an example but it would need anonymization before inclusion into the test suite. -- This message was sent by Atlassian JIRA (v6.3-OD-02-026#6318) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1156) DNS analyzer parses TXT records imcompletely
[ https://bro-tracker.atlassian.net/browse/BIT-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1156: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) DNS analyzer parses TXT records imcompletely Key: BIT-1156 URL: https://bro-tracker.atlassian.net/browse/BIT-1156 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Jon Siwek Fix For: 2.3 The payload of DNS TXT records can consist of multiple character strings but the DNS analyzer parses out only the first. We should parse them out all and then probably concatenate into a single string to pass to the event, separated with semicolons or something. I have a trace with an example but it would need anonymization before inclusion into the test suite. -- This message was sent by Atlassian JIRA (v6.3-OD-02-026#6318) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1156) DNS analyzer parses TXT records imcompletely
[ https://bro-tracker.atlassian.net/browse/BIT-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=15727#comment-15727 ] Robin Sommer commented on BIT-1156: --- Yes, this is what I meant; and right: it should be a vector, not a set. DNS analyzer parses TXT records imcompletely Key: BIT-1156 URL: https://bro-tracker.atlassian.net/browse/BIT-1156 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Fix For: 2.3 The payload of DNS TXT records can consist of multiple character strings but the DNS analyzer parses out only the first. We should parse them out all and then probably concatenate into a single string to pass to the event, separated with semicolons or something. I have a trace with an example but it would need anonymization before inclusion into the test suite. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1156) DNS analyzer parses TXT records imcompletely
[ https://bro-tracker.atlassian.net/browse/BIT-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=15726#comment-15726 ] Vern Paxson commented on BIT-1156: -- Does payload of DNS TXT records mean that an individual TXT record can consist of multiple character strings? If so, and if the order is significant/preserved, then set[string] wouldn't be the right type. If instead this is referring to multiple TXT RRs, then likely set[string] is okay (but worth double-checking the RFC regarding the semantics for that case). DNS analyzer parses TXT records imcompletely Key: BIT-1156 URL: https://bro-tracker.atlassian.net/browse/BIT-1156 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Fix For: 2.3 The payload of DNS TXT records can consist of multiple character strings but the DNS analyzer parses out only the first. We should parse them out all and then probably concatenate into a single string to pass to the event, separated with semicolons or something. I have a trace with an example but it would need anonymization before inclusion into the test suite. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1156) DNS analyzer parses TXT records imcompletely
Robin Sommer created BIT-1156: - Summary: DNS analyzer parses TXT records imcompletely Key: BIT-1156 URL: https://bro-tracker.atlassian.net/browse/BIT-1156 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Fix For: 2.3 The payload of DNS TXT records can consist of multiple character strings but the DNS analyzer parses out only the first. We should parse them out all and then probably concatenate into a single string to pass to the event, separated with semicolons or something. I have a trace with an example but it would need anonymization before inclusion into the test suite. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1156) DNS analyzer parses TXT records imcompletely
[ https://bro-tracker.atlassian.net/browse/BIT-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=15724#comment-15724 ] Robin Sommer commented on BIT-1156: --- ,,, or better: pass a set[string] to the event. DNS analyzer parses TXT records imcompletely Key: BIT-1156 URL: https://bro-tracker.atlassian.net/browse/BIT-1156 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Fix For: 2.3 The payload of DNS TXT records can consist of multiple character strings but the DNS analyzer parses out only the first. We should parse them out all and then probably concatenate into a single string to pass to the event, separated with semicolons or something. I have a trace with an example but it would need anonymization before inclusion into the test suite. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
