[Bro] Correlate DNS request/response with TCP/UDP connections

Seth Hall seth at icir.org
Thu Oct 10 05:33:23 PDT 2013

On Oct 10, 2013, at 6:50 AM, Jason Trost <jason.trost at gmail.com> wrote:

>    dns_response.dst_ip == conn.src_ip AND 
>     conn.dst_ip == dns_response.answer_ip AND 
>     (conn.timestamp - dns_response.timestamp) < THRESHOLD
> Has anyone done this?  Any guidance would be greatly appreciated.

Are you running a cluster?  This type of problem is one of the hardest to solve on distributed analysis.  

Otherwise if you are running a single node then it should be fairly easy.  I *think* you would essentially want to create a 2-tuple set with a short timeout.

global watch_for_connections: set[addr, addr] = {} &create_timeout=2secs;

You would fill out that set in one or more DNS event handlers and then check to see if any connections are being made in a connection_established handler.

Again though, if you are running a cluster this is a really hard problem.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131010/4e40f208/attachment.bin 

More information about the Bro mailing list