[Bro] Adding dns entry to bro logs
jan.grashoefer at gmail.com
Wed Jul 26 10:21:25 PDT 2017
>> Just thinking out loud, if your DHCP pool isn't too huge, you could do the lookups on some interval and just populate a table that you reference later. Not perfect, but close.
> I was thinking exactly this. You just need some tool written in any language to output a file like
> #fields ip name
> 10.0.0.1 boxone
> 10.0.0.2 otherbox
> 10.0.0.3 thirdbox
> (with tabs and not spaces) and then bro can load that into a table[addr] of string; and you can reference it as often as you need.
Another idea: If you monitor the DHCP traffic with Bro as well, wouldn't
it be possible to react on new leases, do the lookup using "when" and
store that info in the table?
More information about the Bro