[Bro-Dev] DNS TXT Queries and the Cache File

Vlad Grigorescu vladg at cmu.edu
Tue Oct 30 09:49:54 PDT 2012 

Sorry for the huge delay in getting this out there - it just fell on the back burner.

I've put my code up at <https://github.com/grigorescu/bro/tree/topic/vladg/dns_txt_queries>. The changes weren't terribly significant. It adds lookup_hostname_txt:

> when (local result = lookup_hostname_txt("733a48a9cb49651d72fe824ca91e8d00.malware.hash.cymru.com"))
>     print result;

Please let me know if anyone sees any issues. There is a save TXT function, but there is no capability to read the data back from a file, as I mentioned. If someone wants to take a stab to getting that working properly, please feel free. Otherwise, let me know and I'll remove the save function.

Thanks,

  --Vlad


On Aug 30, 2012, at 11:38 AM, Robin Sommer <robin at icir.org> wrote:

> Cool, thanks for working on this, Vlad.
> 
> On Thu, Aug 30, 2012 at 05:04 -0500, you wrote:
> 
>> As the previous poor soul to touch that code, I wouldn't mind looking at 
>> what you've got so far and then attempting to add the caching support.
> 
> If the caching is trikcy to get in (or makes the code even worse ...),
> we can indeed skip it. The main reason for having the caching at all
> is DNS names embedded in scripts (e.g., code of the form "set[addr] =
> { foo.bar }"). Bro looks these up once at startup and that can
> potentially take a while if there are a lot or responses are coming in
> slowly. So what one can do is "prime" the cache first, so that the
> next time Bro starts up, it doesn't need to do the lookups. That was
> more important in the Old Days though when people restarted Bro once a
> day to flush state and that had to be fast.
> 
> This is all not relevant to TXT records. And, in fact, I've already
> been wondering if we can get rid of the cache altogether to simplify
> the DNS code.
> 
> Robin
> 
> -- 
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

More information about the bro-dev mailing list