SSHFP RR type in Bro Logs

by J. Edward Durrett

I found something strange in the DNS logs collected by Bro. The Bro DNS logs incorrectly identifies SSHFP (ssh host key finger
print) as SINK. That is, there is a mapping error between the RR codes and the human readable RR name - “A”,
“PTR”, etc. In the logs, these are the qtype and qtype_name respectively.

Here is an example, notice the qtype and qtype_name mismatch:

 
1508101795.130640 CiM2402sD7lR6dpMT6 192.168.40.30 16566 192.168.11.1 53 udp 30081 -
ssh-server.xxxxxx.xx.example.com 1 C_INTERNET 44 SINK 0 NOERROR F F T F
0 - - F

Narrowing that down and searching for similar records, I got

 
$zcat dns.21:00:00-22:00:00.log.gz | ../../bin/bro-cut qtype qtype_name | grep "SINK"
44 SINK
44 SINK
44 SINK
44 SINK
44 SINK
44 SINK
44 SINK

RR type 44 is SSHFP [1].

Searching through the Bro source I found the problem in this script:

scripts/base/protocols/dns/consts.bro

Lines 24 and 25:
 
[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK",
[45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",


Should be:

 
[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SSHFP",
[45] = "IPSECKEY", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",


RR type 45 is IPSECKEY [2].

I filed an issue report [3] but this is also easily correctable on an already installed system. However, looking at the GitHub
page, it has been quite a while since this file was updated [4]. That means, if a script were designed, for example, to parse
a log for SSHFP query types in order to correlate that with an SSH login, nothing would be found. If were designed to use the
code, 44, then it would work. The same goes for IPSECKEY.

It is also worth knowing, that there is a strong likelihood someone has noticed this before and wrote scripts knowing that
SINK=SSHFP. Before making a change in an existing configuration, care should be taken you are not breaking a previously
written script.

References:

[1] https://tools.ietf.org/html/rfc4255#section-3.1
[2]  https://tools.ietf.org/html/rfc402
[3] https://bro-tracker.atlassian.net/browse/BIT-1858
[4[ https://github.com/bro/bro/blob/master/scripts/base/protocols/dns/consts.bro







Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.