[Bro] Additional Records in DNS

Chris Crawford christopher.p.crawford at gmail.com
Fri Jul 12 08:05:39 PDT 2013


I wrote a short bro script to test out dns_EDNS_addl:

event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional){
        print c$uid;
}

But nothing happens when I run the script over some pcap that has DNS with
additional records.

I tried this with bro 2.1:

$ bro -v
bro version 2.1

Did the core analyzer part get implemented in an update on git after v 2.1?


On Wed, Jul 10, 2013 at 4:25 PM, Seth Hall <seth at icir.org> wrote:

>
> On Jul 10, 2013, at 4:04 PM, Chris Crawford <
> christopher.p.crawford at gmail.com> wrote:
>
> > # scripts/base/protocols/dns/main.bro
> >  318 # TODO: figure out how to handle these
> >  324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans:
> dns_edns_additional)
> >
> > Has anyone worked out a way to grab this information from a DNS reply?
> >
> > If not, could anyone point me in the right direction so that I can roll
> my own solution?
>
> The core analyzer part is implemented, the reason that comment is there is
> that I wasn't exactly sure how I should represent data from those events in
> the dns.log.
>
> You can handle that event and get the data.  Please get in touch with me
> if you have ideas or scripts that show how that data could be represented
> sanely in the dns.log.
>
> thanks,
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130712/89d0e58a/attachment.html 


More information about the Bro mailing list