1After you generate a perl tree from the generator, go through it and replace the
2non-responses with the right error.
3
4-------------------------------------------------------------------------------
5
6"0,QUERY,0,0,1,0,0,0,NOERROR,1,0,0,0" => "header section incomplete" #Unbound
7
8"0.+" => "query timed out" #Windows Server(s)
9
10
11-------------------------------------------------------------------------------
12e.g
13
14If you have the responses
15
16"0,NS_NOTIFY_OP,0,1,1,0,1,1,NOTIMP,1,0,0,0",    #iq7
17"1,IQUERY,0,0,0,1,0,0,NOTIMP,1,0,0,0",    #iq8
18"0,IQUERY,0,0,0,1,1,1,NOERROR,1,0,0,0",    #iq9
19"1,QUERY,0,0,1,0,0,0,NOTIMP,1,0,0,0",    #iq10
20"0,QUERY,0,0,1,0,0,0,NOERROR,1,0,0,0",    #iq11
21
22
23part of the tree
24
25{ fingerprint => $iq[8], result => { vendor =>"Microsoft", product=>"Windows DNS", version=>"2003"}, },
26{ fingerprint=>$iq[9], header=>$qy[4], query=>$nct[4], ruleset => [
27{ fingerprint => $iq[10], result => { vendor =>"Microsoft", product=>"Windows DNS", version=>"2003 R2"}, },
28{ fingerprint=>$iq[11], header=>$qy[5], query=>$nct[5], ruleset => [
29{ fingerprint => $iq[11], result => { vendor =>"Microsoft", product=>"Windows DNS", version=>"2008 R2"}, },
30{ fingerprint => $iq[10], result => { vendor =>"Microsoft", product=>"Windows DNS", version=>"2008"}, },
31{ fingerprint => ".+", state=>"q0r3q1r3q2r7q3r9q4r11q5r?" },
32
33
34should become
35
36{ fingerprint => $iq[8], result => { vendor =>"Microsoft", product=>"Windows DNS", version=>"2003"}, },
37{ fingerprint=>"query timed out", header=>$qy[4], query=>$nct[4], ruleset => [
38{ fingerprint => $iq[10], result => { vendor =>"Microsoft", product=>"Windows DNS", version=>"2003 R2"}, },
39{ fingerprint=>"query timed out", header=>$qy[5], query=>$nct[5], ruleset => [
40{ fingerprint => "query timed out", result => { vendor =>"Microsoft", product=>"Windows DNS", version=>"2008 R2"}, },
41{ fingerprint => $iq[10], result => { vendor =>"Microsoft", product=>"Windows DNS", version=>"2008"}, },
42{ fingerprint => ".+", state=>"q0r3q1r3q2r7q3r9q4r11q5r?" },
43
44if you follow the replace instructions
45
46There is an unresolved bug where BIND 9.4.0 -- 9.5.1 identifies as BIND 9.6.0, this is
47temporarily fixed by replacing
48{ fingerprint => $iq[21], result => { vendor =>"ISC", product=>"BIND", version=>"9.6.0"}, },
49
50with
51
52{ fingerprint => $iq[21], result => { vendor =>"ISC", product=>"BIND", version=>"9.6.0 OR 9.4.0 -- 9.5.1"}, },