[Bro] Is DNS Query equal to HTTP Host?
anthony.kasza at gmail.com
Thu Feb 13 08:55:34 PST 2014
A connection object is created for a DNS query and a DNS response.
Subsequent connections made utilizing the results of that DNS query have
their own connection objects. You'll have to keep a DNS cache in userland
and watch for connections to the resolved IP address with HTTP host fields
differing from the domain that was resolved in the cache.
On Feb 13, 2014 8:28 AM, "Shaleta Bennett" <shaleta.bennett at gmail.com>
> Hi can anyone help me figure out if the dns query is the same as the http
> I've tried doing the following but did not get any output.
> if(c$dns$query == c$http$host)
> #send notice to notice.log
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro