[Bro-Dev] dns.bro
Robin Sommer
robin at icir.org
Mon May 2 15:35:10 PDT 2011
As discussed, I'll start going through the scripts in the
policy-scripts-new branch, starting with dns.bro.
I really like the new dns.log, pretty neat!
Two general, DNS-independent, questions first:
- Does a policy/foo.bro script always load all of
policy/foo/*.bro? Would be nice if that was consistent, and
perhaps it already is. :-)
- We should include new connection$uid into pretty much all
relevant logs.
dns/base.bro:
- There are number of commented out "print" statements. Should we
pass this into weird.bro?
- The script activates the binpac analyzer. Do we want to remove
"classic" C++ analyzer?
- There's a TODO about the EDNS/TSIG. What's the problem?
- The reply handlers check for "ans$answer_type == DNS_ANS", but
there are also options dns_skip_all_auth/dns_skip_all_addl in
bro.init? Can we get rid of one of the two ways (I'd say the
latter)?
- The reply handlers are all almost identical. How about
refactoring that code into a function called by them all?
- The comment in connection_state_remove() seems misleading: this
is the only place that logs anything, right?
Watislat_ctveusd or
- om o te yps n ontsbr dn' semto Do we
want to delete he?
dns/passive-replication.bro
- Can you remind me what the passive replication is for? I thought
I knew but not sure that's matching with the script. :-)
- Regarding the TODO: should "recent_requests" be a table[string]
of set[string]?
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list