[Bro] DNS state remains uninitialized in dns_message event
seth at icir.org
Tue Jun 26 07:00:55 PDT 2012
On Jun 26, 2012, at 9:16 AM, Naveed Anwar wrote:
> I want to capture DNS queries of a pcap but there is an issue with DNS events. The DNS state in the connection record remains uninitialized for my DNS queries.
> event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
I don't use the dns_message event in the base scripts for DNS so what is and what is not set when that event fires is currently undefined. Also, I'm a little unsure about what you suspect is unset in the output from your short script?
If you want to look at the data that ends up being inserted into the logs, you can look at it this way...
event DNS::log_dns(rec: DNS::Info)
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro