[Bro] Fwd: BRO: DNS TTL

Shaleta Bennett shaleta.bennett at gmail.com
Wed Feb 12 11:09:59 PST 2014

Hi, I would like to detect if DNS Request for a host occurred before the
TTL expired for that particular host. I gave it try but it doesn't work. My
code is below. Can anyone help me with this or tell me what I am
doing wrong?


---------- Forwarded message ----------
From: Shaleta Bennett <shaleta.bennett at gmail.com>
Date: Tue, Feb 11, 2014 at 8:31 PM
Subject: BRO: DNS TTL
To: bro at bro.org

 Hi, I am trying to detect if a dns request is made before its TTL has
expired. For example, if I make a request to www.example.com and I
immediately make another request towww.example.com before the TTL is up, I
would like to see a notice for this. The code below compiles without errors
but I am not getting any notice for the example explained above. I think
there may be an issue with the TTL vector. I would like to store it in a
vector the same way I did for dnsTime and dnsQuery. However, TTLs is
already a vector of interval. Do you have any suggestions after viewing the
code below? Thanks.

redef enum Notice:: Type+= {DetectDNSTTL}

global dnsTime: time;
global dnsQuery: string;
global dsnTTL: vector of interval;

global dnsTimeVector: vector of time;
global dnsQueryVector: vector of string;
global dnsTTLVector: vector of interval;

event dns_request (c:connection, msg: dns_msg, query: string, qtype: count,
qclass: count)

dnsTime = c$dns$ts;
dnsQuery = c$dns$query;
dnsTTL = c$dns$TTLs;

dnsTimeVector = vector(dnsTime);
dnsQueryVector = vector(dnsQuery);

#save vector TTLs in dnsTTLVector
for (j in dnsTTL)
      dnsTTLVector = vector(dnsTTL[j]);

#check if query is already in vector
for (i in dnsQueryVector)
   if (dnsQuery == dnsQueryVector[i])
       #Calculate the TTL expiration by adding the dns request TTL and time
        local ttlExpiration = dnsTTLVector[i] + dnsTimeVector[i];

         #Send a notice if dns request time is less than TTL expiration time
          if (dnsTime <= ttlExpiration )
                 NOTICE([$note = DetectDNSTTL,
                 $msg = "DNS Request occurred before TTL expired",
                 $conn = c] );

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140212/aa0118af/attachment.html 

More information about the Bro mailing list