[Bro-Dev] Questions about dns.log

Seth Hall seth at icir.org
Tue Nov 29 09:41:00 PST 2011

On Nov 29, 2011, at 11:16 AM, Robin Sommer wrote:

> Two questions about dns.log:

I haven't ever really been satisfied with the content of that log.  It's really hard to represent the DNS request/response pair though considering that you have to weigh data volume with typical use cases.  It seems that all most people want (from a security forensics perspective) are the answers that came back from queries and who made the query.  The technical details (even response type) matter surprisingly little in most cases.  I would definitely like to talk about it more though.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list