vikrambasu059 at gmail.com
Fri Jul 21 23:26:39 PDT 2017
Am I correct in saying if xyz.com points to a local IP address but a.xyz.com resolves to an external IP address then the notice is generated.
So both site::local_nets and site::local_zones need to be defined externally in local.bro file using redef statements or does Bro automatically do by analysing traffic.
In addition what does defining the private IP address in the networks.cfg in bro/etc folder do ?
From: Azoff, Justin S
Sent: 20 July 2017 12:50 AM
To: Adam Pumphrey
Cc: Vikram Basu; bro at bro.org
Subject: Re: [Bro] detect-external-names.bro
> On Jul 19, 2017, at 3:07 PM, Adam Pumphrey <apumphrey at bricata.com> wrote:
> It checks responses to DNS A record queries for an IP address in the answer that is considered local (based on the Site::local_nets variable), but the resolved DNS name (the query) is not in a local DNS zone (based on the Site::local_zones variable).
> The IP and query locality tests in this script depend on both the Site::local_nets and Site::local_zones variables. If Site::local_zones is populated correctly, this script uses the Site::is_local_name function to see if the queried name belongs to a local DNS zone. Underneath its using a regular expression to match any subdomains of a zone specified in local_zones.
> If the query doesn’t appear to be in a local zone, but the IP in the answer was, the script generates a Notice.
Exactly right. If you haven't already, I would say to just read the script. It's probably one of the most simple, but still useful scripts that ship with bro. Aside from some boilerplate that is common to any script that raises a notice and the event handling, the entire script is just a single if statement:
if ( Site::is_local_addr(a) && # referring to a local host
! Site::is_local_name(ans$query) ) # name isn't in a local zone.
# raise notice here
- Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro