[Bro] Bro and Counting DNS rcodes

Rosebraugh, Connar connar.rosebraugh at egov.com
Thu Nov 7 12:27:25 PST 2013


I am trying to use Bro to count DNS rcodes, but it is returning numbers that are not correct. I am using the dns_message() event to collect the DNS messages, and I am using a pcap of 5000 packets that are all on port 53. After inspecting the packets in wireshark, I found that there were ~600 query results where rcode == 3. However, after running my script, not only did Bro only find 1 rcode == 3, but it only counted 2497 DNS messages. Is there something that I am missing?

Attached is the script that I am using to collect the rcodes. If you see some glaring logical error, please let me know.

Thanks,
Connar Rosebraugh
Intern, Security Operations
NICUSA, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131107/9fee020c/attachment.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: test.bro.txt
Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131107/9fee020c/attachment.txt 


More information about the Bro mailing list