[Bro] Correlate DNS request/response with TCP/UDP connections
jason.trost at gmail.com
Thu Oct 10 03:50:21 PDT 2013
Is there a good way to correlate DNS requests/responses with subsequent
TCP/UDP connections using Bro (in realtime)? With how my tap is configured
I can see the client's DNS request/response and all their traffic. I want
to be able to combine their DNS request (if there is one) with the
corresponding TCP/UDP following it. For my use case I need this to be done
in realtime (not later by simply doing a JOIN). So, I am interested in a
single log entry with DNS request/response AND connection info.
It seems like this should be possible by basically doing the following:
dns_response.dst_ip == conn.src_ip AND
conn.dst_ip == dns_response.answer_ip AND
(conn.timestamp - dns_response.timestamp) < THRESHOLD
Has anyone done this? Any guidance would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro