Merge pull request #116 from amm3/master

Base64 fix to httpdump, and feature update to dns
USArmyResearchLab · Mar 2, 2020 · 2c63476 · 2c63476
2 parents be3b374 + 86aaf7f
commit 2c63476
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 7 deletions.
diff --git a/decoders/dns/dns.py b/decoders/dns/dns.py
@@ -22,11 +22,13 @@ def decode_q(self, dns):
         queried = ""
         if dns.qd[0].type == dpkt.dns.DNS_A:
             queried = queried + "A? %s" % (dns.qd[0].name)
-        if dns.qd[0].type == dpkt.dns.DNS_CNAME:
+        elif dns.qd[0].type == dpkt.dns.DNS_CNAME:
             queried = queried + "CNAME? %s" % (dns.qd[0].name)
-        if dns.qd[0].type == dpkt.dns.DNS_AAAA:
+        elif dns.qd[0].type == dpkt.dns.DNS_AAAA:
             queried = queried + "AAAA? %s" % (dns.qd[0].name)
-        if dns.qd[0].type == dpkt.dns.DNS_PTR:
+        elif dns.qd[0].type == dpkt.dns.DNS_SOA:
+            queried = queried + "SOA? %s" % (dns.qd[0].name)
+        elif dns.qd[0].type == dpkt.dns.DNS_PTR:
             if dns.qd[0].name.endswith('.in-addr.arpa'):
                 query_name = '.'.join(
                     reversed(dns.qd[0].name.split('.in-addr.arpa')[0].split('.')))
@@ -39,11 +41,11 @@ def decode_q(self, dns):
 
         if dns.qd[0].type == dpkt.dns.DNS_NS:
             queried = queried + "NS? %s" % (dns.qd[0].name)
-        if dns.qd[0].type == dpkt.dns.DNS_MX:
+        elif dns.qd[0].type == dpkt.dns.DNS_MX:
             queried = queried + "MX? %s" % (dns.qd[0].name)
-        if dns.qd[0].type == dpkt.dns.DNS_TXT:
+        elif dns.qd[0].type == dpkt.dns.DNS_TXT:
             queried = queried + "TXT? %s" % (dns.qd[0].name)
-        if dns.qd[0].type == dpkt.dns.DNS_SRV:
+        elif dns.qd[0].type == dpkt.dns.DNS_SRV:
             queried = queried + "SRV? %s" % (dns.qd[0].name)
 
         return queried
@@ -65,7 +67,7 @@ def DNSHandler(self, conn, request, response, **kwargs):
                 conn.info(query=self.decode_q(dns))
 
             # DNS Answer with data and no errors
-            elif (dns.qr == dpkt.dns.DNS_A and dns.rcode == dpkt.dns.DNS_RCODE_NOERR and len(dns.an) > 0):
+            elif (dns.rcode == dpkt.dns.DNS_RCODE_NOERR and len(dns.an) > 0):
 
                 queried = self.decode_q(dns)
 
@@ -108,6 +110,16 @@ def DNSHandler(self, conn, request, response, **kwargs):
                 if queried != '':
                     anstext = 'NXDOMAIN'
 
+            #SOA response
+            elif dns.qd[0].type == dpkt.dns.DNS_SOA and len(dns.ns):
+                queried = self.decode_q(dns)
+                answers = []
+                for ns in dns.ns:
+                    if ns.type == dpkt.dns.DNS_SOA:
+                        answers.append('SOA: '+ ns.mname)
+                anstext = ", ".join(answers)
+
+
         # did we get an answer?
         if anstext and not self.only_noanswer and not self.only_norequest:
             self.alert(

diff --git a/decoders/http/httpdump.py b/decoders/http/httpdump.py
@@ -76,6 +76,9 @@ def HTTPHandler(self, conn, request, response, requesttime, responsetime):
                 request.method, response.status, host, uri_location, util.getHeader(response, 'content-type'))
         urlParams = util.URLDataToParameterDict(uri_data)
         postParams = util.URLDataToParameterDict(request.body)
+        # If URLData parser only returns a single element with null value, it's probably an eroneous evaluation.  Most likely base64 encoded payload ending in an '=' character.
+        if len(postParams)==1 and postParams[postParams.keys()[0]] == '\x00':
+        	postParams = None
 
         clientCookies = self._parseCookies(util.getHeader(request, 'cookie'))
         serverCookies = self._parseCookies(