[Bro] Bro and Counting DNS rcodes
liam at broala.com
Thu Nov 7 12:44:27 PST 2013
Conner are you on 2.1? There was a bug that has been fixed in the current
You could also simply summarize the existing dns.log with something like
[bro at new-host-3 dns-ad-bruteforce]$ less dns.log | bro-cut rcode rcode_name
| sort | uniq -c | sort -n
32 - -
1704 0 NOERROR
2279 3 NXDOMAIN
The columns are Count / Return Code / Return Code Name.
On Thu, Nov 7, 2013 at 3:27 PM, Rosebraugh, Connar <
connar.rosebraugh at egov.com> wrote:
> I am trying to use Bro to count DNS rcodes, but it is returning numbers
> that are not correct. I am using the dns_message() event to collect the DNS
> messages, and I am using a pcap of 5000 packets that are all on port 53.
> After inspecting the packets in wireshark, I found that there were ~600
> query results where rcode == 3. However, after running my script, not only
> did Bro only find 1 rcode == 3, but it only counted 2497 DNS messages. Is
> there something that I am missing?
> Attached is the script that I am using to collect the rcodes. If you see
> some glaring logical error, please let me know.
> Connar Rosebraugh
> Intern, Security Operations
> NICUSA, Inc.
> Bro mailing list
> bro at bro-ids.org
>From the creators of Bro <http://www.bro.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro