[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements
Jon Siwek (JIRA)
jira at bro-tracker.atlassian.net
Thu Jan 30 15:37:58 PST 2014
[ https://bro-tracker.atlassian.net/browse/BIT-1122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15309#comment-15309 ]
Jon Siwek commented on BIT-1122:
--------------------------------
I just pushed another commit on this branch containing a rewrite of the query-reply state tracking and matching logic. It now relies on "dns_end" event to pair messages and log them. The old way of tracking the number of resource records seen versus the total number declared in the reply message is too unreliable in many cases.
> topic/jsiwek/dns-improvements
> -----------------------------
>
> Key: BIT-1122
> URL: https://bro-tracker.atlassian.net/browse/BIT-1122
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Seth Hall
> Fix For: 2.3
>
>
> This branch is in bro, bro-testing, and bro-testing-private repos.
> - Fixes incorrect parsing of DNS message format for messages with empty question sections.
> - Changes dns.log to only include standard queries (opcode == 1).
> - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to parse, which improves accuracy of request-reply pair matching performed by the default DNS scripts.
--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)
More information about the bro-dev
mailing list