[Bro-Dev] dns.bro
Will
baxterw3232 at gmail.com
Fri May 6 11:28:32 PDT 2011
Are these new scripts going to have Seth's 'dns-ext.bro'
included/merged or is this re-write changing the base dns.bro
altogether?
On Mon, May 2, 2011 at 6:35 PM, Robin Sommer <robin at icir.org> wrote:
> As discussed, I'll start going through the scripts in the
> policy-scripts-new branch, starting with dns.bro.
>
> I really like the new dns.log, pretty neat!
>
> Two general, DNS-independent, questions first:
>
> - Does a policy/foo.bro script always load all of
> policy/foo/*.bro? Would be nice if that was consistent, and
> perhaps it already is. :-)
>
> - We should include new connection$uid into pretty much all
> relevant logs.
>
> dns/base.bro:
>
> - There are number of commented out "print" statements. Should we
> pass this into weird.bro?
>
> - The script activates the binpac analyzer. Do we want to remove
> "classic" C++ analyzer?
>
> - There's a TODO about the EDNS/TSIG. What's the problem?
>
> - The reply handlers check for "ans$answer_type == DNS_ANS", but
> there are also options dns_skip_all_auth/dns_skip_all_addl in
> bro.init? Can we get rid of one of the two ways (I'd say the
> latter)?
>
> - The reply handlers are all almost identical. How about
> refactoring that code into a function called by them all?
>
> - The comment in connection_state_remove() seems misleading: this
> is the only place that logs anything, right?
>
> Watislat_ctveusd or
> - om o te yps n ontsbr dn' semto Do we
> want to delete he?
>
> dns/passive-replication.bro
>
> - Can you remind me what the passive replication is for? I thought
> I knew but not sure that's matching with the script. :-)
>
> - Regarding the TODO: should "recent_requests" be a table[string]
> of set[string]?
>
> Robin
>
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
More information about the bro-dev
mailing list