[Bro-Dev] dns.bro

Will baxterw3232 at gmail.com
Fri May 6 11:28:32 PDT 2011 

Are these new scripts going to have Seth's 'dns-ext.bro'
included/merged or is this re-write changing the base dns.bro
altogether?



On Mon, May 2, 2011 at 6:35 PM, Robin Sommer <robin at icir.org> wrote:
> As discussed, I'll start going through the scripts in the
> policy-scripts-new branch, starting with dns.bro.
>
> I really like the new dns.log, pretty neat!
>
> Two general, DNS-independent, questions first:
>
>    - Does a policy/foo.bro script always load all of
>    policy/foo/*.bro? Would be nice if that was consistent, and
>    perhaps it already is. :-)
>
>    - We should include new connection$uid into pretty much all
>   relevant logs.
>
> dns/base.bro:
>
>    - There are number of commented out "print" statements. Should we
>      pass this into weird.bro?
>
>    - The script activates the binpac analyzer. Do we want to remove
>      "classic" C++ analyzer?
>
>    - There's a TODO about the EDNS/TSIG. What's the problem?
>
>    - The reply handlers check for "ans$answer_type == DNS_ANS", but
>      there are also options dns_skip_all_auth/dns_skip_all_addl in
>      bro.init? Can we get rid of one of the two ways (I'd say the
>      latter)?
>
>    - The reply handlers are all almost identical. How about
>      refactoring that code into a function called by them all?
>
>    - The comment in connection_state_remove() seems misleading: this
>      is the only place that logs anything, right?
>
>    Watislat_ctveusd or
>  - om o te yps n ontsbr dn' semto Do we
>      want to delete he?
>
> dns/passive-replication.bro
>
>    - Can you remind me what the passive replication is for? I thought
>    I knew but not sure that's matching with the script. :-)
>
>    - Regarding the TODO: should "recent_requests" be a table[string]
>    of set[string]?
>
> Robin
>
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>

More information about the bro-dev mailing list