Zeek Scripting "Error field missing value" - bro

I'm trying to write a Zeek script to divide the dns traffic into two log files (query and reply)
The error is "Field missing value" for the code $TTL=c$dns$TTLs in dns_query_reply event.
I don't understand the reason for this error since the dns.log file correctly contains the value.
The code is as follows:
module DnsFeatureExtractor;
export{
redef enum Log::ID += {QueryDNS};
redef enum Log::ID += {ReplyDNS};
type InfoQuery: record{
uid: string &log;
id: conn_id &log;
domain: string &log &optional;
query_type: string &log &optional;
timestamp: time &log;
};
type InfoReply: record{
uid: string &log;
id: conn_id &log;
response_code: count &log &optional;
TTL: vector of interval &log &optional;
resolved_IP: vector of string &log &optional;
timestamp: time &log;
};
}
event zeek_init(){
Log::create_stream(QueryDNS, [$columns=InfoQuery, $path="QueryDNS"]);
Log::create_stream(ReplyDNS, [$columns=InfoReply, $path="ReplyDNS"]);
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count){
local name_qtype = DNS::query_types[qtype];
local rec: DnsFeatureExtractor::InfoQuery = [$uid=c$uid, $id=c$id, $domain=query, $query_type=name_qtype, $timestamp=c$start_time];
Log::write(DnsFeatureExtractor::QueryDNS, rec);
}
event dns_query_reply(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count){
local rec_r: DnsFeatureExtractor::InfoReply = [$uid=c$uid, $id=c$id, $response_code=msg$rcode, $TTL=c$dns$TTLs, $resolved_IP=c$dns$answers, $timestamp=c$start_time];
Log::write(DnsFeatureExtractor::ReplyDNS, rec_r);
}


This one's subtle: you're seeing an ordering problem. The dns_query_reply event handler is invoked before that of the event that actually populates the TTLs (such as dns_A_reply).
The c$dns fields in question get populated in the DNS::do_reply hook, so your best bet is to ensure you add to the hook. If you use the default priority, it'll run after the one that populates the fields. Try this instead of the dns_query_reply handler:
hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) {
local rec_r: DnsFeatureExtractor::InfoReply = [$uid=c$uid, $id=c$id, $response_code=msg$rcode, $TTL=c$dns$TTLs, $resolved_IP=c$dns$answers, $timestamp=c$start_time];
Log::write(DnsFeatureExtractor::ReplyDNS, rec_r);
}
Note that you're still dealing with optional record values, so it's possible that despite the above you still don't see all field values. To guard against that, you could check whether the optional values are actually defined, and copy them over only in that case:
hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
{
local rec_r: DnsFeatureExtractor::InfoReply = [$uid=c$uid, $id=c$id, $response_code=msg$rcode, $timestamp=c$start_time];
if ( c$dns?$TTLs )
rec_r$TTL = c$dns$TTLs;
if ( c$dns?$answers )
rec_r$resolved_IP = c$dns$answers;
Log::write(DnsFeatureExtractor::ReplyDNS, rec_r);
}

Related

Check if a request has a response in Zeek language

Good Morning,
I have a Zeek machine generating logs on a Modbus traffic.
Currently, my script generates logs looking like this :
ts tid id.orig_h id.orig_p id.resp_h id.resp_p unit_id func network_direction
1342774501.072580 32 10.2.2.2 51411 10.2.2.3 502 255 READ_HOLDING_REGISTERS request
1342774501.087014 32 10.2.2.2 51411 10.2.2.3 502 255 READ_HOLDING_REGISTERS response
'tid' is the transaction id to identify a request/response couple. I want to know if a robot hasn't responded to the Controller by logging only requests that did not have a response within 1 second.
My code is :
module Modbus_Extended;
export {
redef enum Log::ID += { LOG_DETAILED,
LOG_MASK_WRITE_REGISTER,
LOG_READ_WRITE_MULTIPLE_REGISTERS};
type Modbus_Detailed: record {
ts : time &log; # Timestamp of event
tid : count &log; # Zeek unique ID for connection
id : conn_id &log; # Zeek connection struct (addresses and ports)
unit_id : count &log; # Modbus unit-id
func : string &log &optional; # Modbus Function
network_direction : string &log &optional; # Message direction (request or response)
address : count &log &optional; # Starting address for value(s) field
quantity : count &log &optional; # Number of addresses/values read or written to
values : string &log &optional; # Coils, discrete_inputs, or registers read/written to
};
global log_modbus_detailed: event(rec: Modbus_Detailed);
global transaction_ids: set[string, string] = {};
event modbus_message(c: connection,
headers: ModbusHeaders,
is_orig: bool) &priority=-5 {
local modbus_detailed_rec: Modbus_Detailed;
if(headers$tid !in transaction_ids[count]){
add transaction_ids[headers$tid, c$modbus$ts]
}else{
delete transaction_ids[headers$tid, c$modbus$ts]
}
for(i in transaction_ids[timestamp]){
if(c$modbus$ts > transactions_ids[headers$tid, i] +1)
{
Log::write(LOG_DETAILED, modbus_detailed_rec);
}
}
}
}
My guess is that I have to store transaction ids and check if I get only one occurence within this timelapse and then log it into a file, but I can figure out how to do it. Currently I can only generate logs with all the modbus traffic.
Thank you for your help

Gatling use session.set and feed simultaneously

If I use .get("/***/quotes-${endPoint}/quotes?source=rtbp&userid=test&symbol=${pTypeSymbol}${authM}${pEqSymbol}") then ${pEqSymbol} work but
${pTypeSymbol} will be ${pEqSymbol} it's incorrect example of get it should be in code below
val getApiKeyScenario = scenario("getApiKey")
.feed(getApiKeyData)
.feed(pEqSymbolFeed)
.feed(pOptionSymbol)
.feed(pOtherSymbol)
.exec(session => session
.set("endPoint", "v1")
.set("pTypeSymbol", "${pEqSymbol}")
.set("authM", "&apikey=***********"))
.exec(http("getApiKeyRequest")
.get("/******/quotes-${endPoint}/quotes?source=rtbp&userid=test&symbol=${pTypeSymbol}${authM}")
.check(status.is(200))
.check(checkIf(doLogResponse) {
bodyString.saveAs("pResponse")
})
)
.doIf(doLogResponse) {
logResponse()
}
If I try .set("pTypeSymbol", pEqSymbolFeed.readRecords.head("pEqSymbol")) will be loop
If I try .set("pTypeSymbol", s"${pEqSymbol.isDefined}") not found: value pEqSymbol
If I try s"${pEqSymbol}" not found: value pEqSymbol
I logs now is GET *******/quotes-v1/quotes?source=rtbp&userid=test&symbol=${pEqSymbol}&apikey=******
But should be GET *******/quotes-v1/quotes?source=rtbp&userid=test&symbol="Here my value from feed"&apikey=******

Please read the official documentation:
This Expression Language only works on String values being passed to Gatling DSL methods. Such Strings are parsed only once, when the Gatling simulation is being instantiated.
For example queryParam("latitude", session => "${latitude}") wouldn’t work because the parameter is not a String, but a function that returns a String.
In your example, you don't need to copy pEqSymbol into pTypeSymbol, you can directly write:
.exec(session => session
.set("endPoint", "v1")
.set("authM", "&apikey=***********"))
.exec(http("getApiKeyRequest")
.get("/******/quotes-${endPoint}/quotes?source=rtbp&userid=test&symbol=${pEqSymbol}${authM}")
)
)
But if you insist on copying, you have to use the Session API:
.set("pTypeSymbol", session("pEqSymbol").as[String])

Vue.js Nuxt - cannot access Array (value evaluated upon first expanding error)

I have the following function which gives me an array called URLs
const storageRef = this.$fire.storage.ref().child(fileName)
try {
const snapshot = storageRef.put(element).then((snapshot) => {
snapshot.ref.getDownloadURL().then((url) => {
urls.push(url)
})
})
console.log('File uploaded.')
} catch (e) {
console.log(e.message)
}
});
console.log(urls)
console.log("about to run enter time with imageurls length " + urls.length)
When I run console.log(URLs) initially I do see the array like the following
[]
0: "testvalue"
length: 1
__proto__: Array(0)
However, there is a small information icon stating
This value was evaluated upon first expanding. The value may have changed since.
Because of this, when I try to get the length of URLs, I get zero, meaning the value is being updated.
Does anyone know what's happening? I am using Vue.JS/Nuxt.

I am trying to get data over an OpenWeather API in Rust but I am facing some iusse regarding parsing I guess

extern crate openweather;
use openweather::LocationSpecifier;
static API_KEY: &str = "e85e0a3142231dab28a2611888e48f22";
fn main() {
let loc = LocationSpecifier::Coordinates {
lat: 24.87,
lon: 67.03,
};
let weather = openweather::get_current_weather(loc, API_KEY).unwrap();
print!(
"Right now in Minneapolis, MN it is {}K",
weather.main.humidity
);
}
error : thread 'main' panicked at 'called Result::unwrap() on an
Err value: ErrorReport { cod: 0, message: "Got unexpected response:
\"{\\"coord\\":{\\"lon\\":67.03,\\"lat\\":24.87},\\"weather\\":[{\\"id\\":803,\\"main\\":\\"Clouds\\",\\"description\\":\\"broken
clouds\\",\\"icon\\":\\"04n\\"}],\\"base\\":\\"stations\\",\\"main\\":{\\"temp\\":294.15,\\"pressure\\":1018,\\"humidity\\":60,\\"temp_min\\":294.15,\\"temp_max\\":294.15},\\"visibility\\":6000,\\"wind\\":{\\"speed\\":5.1,\\"deg\\":30},\\"clouds\\":{\\"all\\":70},\\"dt\\":1574012543,\\"sys\\":{\\"type\\":1,\\"id\\":7576,\\"country\\":\\"PK\\",\\"sunrise\\":1573955364,\\"sunset\\":1573994659},\\"timezone\\":18000,\\"id\\":1174872,\\"name\\":\\"Karachi\\",\\"cod\\":200}\""
}

The issue is a JSON parsing error due to the deserialized struct not matching OpenWeather's JSON, perhaps the API recently added this? With your example, the OpenWeatherCurrent struct is missing timezone.
But it looks like there is an open PR that will fix this, you can test it by doing the following:
Change your Cargo.toml dependency to openweather = { git = "https://github.com/caemor/openweather" }.
The PR author has also updated the get_current_weather signature so you'll need to change lines 2, 10 to the following:
use openweather::{LocationSpecifier, Settings};
let weather = openweather::get_current_weather(&loc, API_KEY, &Settings::default()).unwrap();

Bro script for reading a list of Ips and domains

I am trying to read a file with a list of IP addresses and another one with domains, as a proof of concept of the Input Framework defined in https://docs.zeek.org/en/stable/frameworks/input.html
I´ve prepared the following bro scripts:
reading.bro:
type Idx: record {
ip: addr;
};
type Idx: record {
domain: string;
};
global ips: table[addr] of Idx = table();
global domains: table[string] of Idx = table();
event bro_init() {
Input::add_table([$source="read_ip_bro", $name="ips",
$idx=Idx, $destination=ips, $mode=Input::REREAD]);
Input::add_table([$source="read_domain_bro", $name="domains",
$idx=Idx, $destination=domains, $mode=Input::REREAD]);
Input::remove("ips");
Input::remove("domains");
}
And the bad_ip.bro script, which check if an IP is in the blacklist, which loads the previous one:
bad_ip.bro
#load reading.bro
module HTTP;
event http_reply(c: connection, version: string, code: count, reason: string)
{
if ( c$id$orig_h in ips )
print fmt("A malicious IP is connecting: %s", c$id$orig_h);
}
However, when I run bro, I get the error:
error: Input stream ips: Table type does not match index type. Need type 'string':string, got 'addr':addr
Segmentation fault (core dumped)

You cannot assign a string type to an addr type. In order to do so, you must use the utility function to_addr(). Of course, it would be wise to verify that that string contains a valid addr first. For example:
if(is_valid_ip(inputString){
inputAddr = to_addr(inputString)
} else { print "addr expected, got a string"; }