[Bro] Incorporating dns_reponse in dns_request

Will baxterw3232 at gmail.com
Wed Mar 16 11:17:03 PDT 2011

Hello All,

Below is my event for dns_request in my site specific dns.bro policy.
It currently creates a notice.log entry (and eventually an email alert)
when any internal host does a look up for a domain in our

'172.x.x.x queried 'very.bad.org' @ 2011-03-16-12:41:13.560817003 (EST)'

The only thing missing from this is the returned IP address, if one was

Current Function (with zone transfer logic removed for brevity):
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count,
qclass: count)
       local id = c$id;
       local orig = id$orig_h;
       local resp = id$resp_h;
       local session = lookup_DNS_session(c, msg$id);
       local anno = DNS_query_annotation(c, msg, query, qtype, F);
       local report = fmt("%.06f #%d %s", network_time(), session$id,
       local q: string;

       if ( orig in okay_to_lookup_sensitive_hosts )

       if ( logging )
               print dns_log, fmt("%s", report);

       # Check to see if this is a host or MX lookup for a designated
hostile domain.
       local subq = second_level_domain(query);
       if ( check_domain_list && (query_types[qtype] == "A" ||
query_types[qtype] == "MX") && subq in hostile_domain_list )
               if( subq in hostile_domain_list[subq] ||
third_level_domain(query) in hostile_domain_list[subq] )
                       NOTICE([$note=SensitiveDNS_Lookup, $conn=c,
$msg=fmt("%s queried '%s' @ %T (EST)", id$orig_h, query, network_time())]);
       session$pending_queries[msg$id] = anno;
       session$last_active = network_time();

I have tried to incorporate code from some of the other functions like
creating a local drr variable and passing that to the function, but haven't
had any luck.

Something like this:
function insert_name(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
       local drr: dns_response_record;

So, I guess my question is, is there a way to evaluate a DNS query along
with its corresponding response and return an IP address in this same event?

I assume this may be a 'no' if each is handled completely independent.

Thanks for listening...err...reading!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110316/f9441ecc/attachment.html 

More information about the Bro mailing list