[Bro] Using Bro to detect DNS lookups in given timeframe

Seth Hall seth at icir.org
Wed Mar 18 09:57:08 PDT 2015

> On Mar 18, 2015, at 12:28 PM, Hille, Samson <SHille at heartland.com> wrote:
> ·         Detecting if a network device is looking up over 50 DNS entries in a 1 hour timeframe

There is nothing built in right now, but it would be pretty easy to write a script to do it.  Here’s a quick one...

event bro_init()
	local r1 = SumStats::Reducer($stream="too_much_dns.recursive_requests", $apply=set(SumStats::SUM));
	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
	                  	return result["too_much_dns.recursive_requests"]$sum;
	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
	                  	local r = result["too_much_dns.recursive_requests"];
	                  	local dur = duration_to_mins_secs(r$end-r$begin);
	                  	local message = fmt("%s did at least %.0f recursive DNS requests in %s", key$host, r$sum, dur);
	                  	print message;

event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
	if ( msg$RD )
		SumStats::observe("too_much_dns.recursive_requests", [$host=c$id$orig_h], [$num=1]);

Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list