[Bro] Questions about Bro's DNS Parser
Seth Hall
hall.692 at osu.edu
Sat Feb 6 23:09:43 PST 2010
On Feb 7, 2010, at 2:00 AM, Vern Paxson wrote:
>> The problem is, even with the -C option, some packets that have error
>> codes such as "Server Failure" or "No Such Name Exists" are not being
>> logged in the DNS log file.
>
> Ah - this rings a bell. I believe Seth has a fix for this problem
> (and
> in general a reworked dns.bro), which would be great to incorporate
> into
> the next Bro release. I'll let him comment further.
I do have a dns-ext.bro script in my github repository. I even
recently fixed it so that it's actually functional now! :)
http://github.com/sethhall/bro_scripts/blob/master/dns-ext.bro
I don't know if this will correct the problem you're having or not,
but it's worth a try.
It outputs logs like this in "full" mode...
ts orig_h orig_p resp_h resp_p proto query_type query_class query
transaction_id ttl flags error replies
1232039460.39003 161.58.49.99 5654 128.146.1.7 53 udp A C_INTERNET
ns1.net.ohio-state.edu bf08 3600 {} NOERROR 0 {128.146.48.7,
128.146.1.21, 128.146.1.7}
1232039460.39091 161.58.49.99 1968 128.146.1.7 53 udp A C_INTERNET
ns2.net.ohio-state.edu e04e 3600 {} NOERROR 0 {128.146.48.7,
128.146.1.21, 128.146.1.7}
1232039460.87 66.148.163.50 21468 140.254.37.68 53 udp A C_INTERNET
a744.g.akamai.net 2fd6 20 {} NOERROR 0 {72.246.30.81, 72.246.30.73}
and like this in "minimal" query-only mode...
ts orig_h query_type query
1232039460.39003 161.58.49.99 A ns1.net.ohio-state.edu
1232039460.39091 161.58.49.99 A ns2.net.ohio-state.edu
1232039460.87 66.148.163.50 A a744.g.akamai.net
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list