[Bro] Incorporating dns_reponse in dns_request
Will
baxterw3232 at gmail.com
Wed Mar 16 11:17:03 PDT 2011
Hello All,
Below is my event for dns_request in my site specific dns.bro policy.
It currently creates a notice.log entry (and eventually an email alert)
when any internal host does a look up for a domain in our
hostile_domain_list.
Example:
'172.x.x.x queried 'very.bad.org' @ 2011-03-16-12:41:13.560817003 (EST)'
The only thing missing from this is the returned IP address, if one was
returned.
Current Function (with zone transfer logic removed for brevity):
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count,
qclass: count)
{
local id = c$id;
local orig = id$orig_h;
local resp = id$resp_h;
local session = lookup_DNS_session(c, msg$id);
local anno = DNS_query_annotation(c, msg, query, qtype, F);
local report = fmt("%.06f #%d %s", network_time(), session$id,
c$id$orig_h);
local q: string;
if ( orig in okay_to_lookup_sensitive_hosts )
return;
if ( logging )
print dns_log, fmt("%s", report);
# Check to see if this is a host or MX lookup for a designated
hostile domain.
local subq = second_level_domain(query);
if ( check_domain_list && (query_types[qtype] == "A" ||
query_types[qtype] == "MX") && subq in hostile_domain_list )
{
if( subq in hostile_domain_list[subq] ||
third_level_domain(query) in hostile_domain_list[subq] )
NOTICE([$note=SensitiveDNS_Lookup, $conn=c,
$msg=fmt("%s queried '%s' @ %T (EST)", id$orig_h, query, network_time())]);
}
session$pending_queries[msg$id] = anno;
session$last_active = network_time();
}
I have tried to incorporate code from some of the other functions like
creating a local drr variable and passing that to the function, but haven't
had any luck.
Something like this:
function insert_name(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
{
local drr: dns_response_record;
So, I guess my question is, is there a way to evaluate a DNS query along
with its corresponding response and return an IP address in this same event?
I assume this may be a 'no' if each is handled completely independent.
Thanks for listening...err...reading!
Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110316/f9441ecc/attachment.html
More information about the Bro
mailing list