[Bro] reverse DNS based on bro's forward DNS query log
seth at icir.org
Thu Aug 23 08:15:23 PDT 2012
On Aug 23, 2012, at 10:48 AM, Stephane Chazelas <stephane.chazelas at gmail.com> wrote:
> $ tail -1 dns.log
> 1345732627.030897 jUJU3ZwGOv4 x.x.x.x 54866 x.x.x.x 53 udp 44687 static.ak.facebook.com 1 C_INTERNET 1 A 0 NOERROR F F
> F T T 0 static.ak.facebook.com.edgesuite.net,a749.dsw4.akamai.net,184.108.40.206,220.127.116.11 3364.000000,348.000000,15.000000,15.000000
> $ dig -x 18.104.22.168 +short
That's cool! Definitely send along anything you can. I'm sure that quite a few people will be interested in this (I am).
In 2.2 we should have some database logging framework writer plugins so we might be able to remove your script eventually and have Bro send these logs directly to the database.
Yet another cool Bro thing! You're on a roll today.
FYI, the mailing list address is bro at bro-ids.org now. The old lbl.gov address was deprecated a while ago.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro