-help for zeek dns cache poisoning detection script

ridha_dabbous · September 28, 2020, 8:35pm

hi all ;
i am new and i don't have experience with zeek
i try to test this script to detect dns cache poisoning with zeek :

global query_and_id: set[string, int] &write_expire=1min;

event dns_query_reply (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
  if([c$dns$query , c$dns$trans_id] in query_and_id){
    print fmt ("Possible DNS cache poisoning attempt --> Source IP: %s, Destination IP: %s, Query: %s", c$id$orig_h, c$id$resp_h, c$dns$query);
    return;
  }
  if(!([c$dns$query, c$dns$trans_id] in query_and_id)){
    add query_and_id[c$dns$query, c$dns$trans_id];
  }
}

but when i try this script i face this issue
1462583138.084234 expression error in ././try.zeek, line 5: field value missing (c$dns$query)

any help plz

Vern · September 28, 2020, 9:52pm

but when i try this script i face this issue
1462583138.084234 expression error in ././try.zeek, line 5: field value missing (c$dns$query)

The $dns field gets populated by a call to the set_session() hook. If you’re not doing any other DNS processing except what’s in the event in your script, then set_session() hasn’t been called.

BTW, in practice to catch cache poisoning you’ll need to compare the answers to make sure they differ. Unfortunately you’ll occasionally get benign duplicate replies (either due to network tapping issues, or occasionally due to rare network/system effects), probably at a rate a lot more common than seeing actual DNS cache poisoning. So if you don’t compare the replies (which unfortunately can be a pain), you might suffer from significant false positives.

— Vern

ridha_dabbous · September 29, 2020, 4:33am

Thanks for the tip!

system · May 6, 2022, 3:47pm