[Bro-Dev] Questions about dns.log
Seth Hall
seth at icir.org
Tue Nov 29 09:41:00 PST 2011
On Nov 29, 2011, at 11:16 AM, Robin Sommer wrote:
> Two questions about dns.log:
I haven't ever really been satisfied with the content of that log. It's really hard to represent the DNS request/response pair though considering that you have to weigh data volume with typical use cases. It seems that all most people want (from a security forensics perspective) are the answers that came back from queries and who made the query. The technical details (even response type) matter surprisingly little in most cases. I would definitely like to talk about it more though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list