[Bro] Incorporating dns_reponse in dns_request

Seth Hall seth at icir.org
Thu Mar 17 12:17:35 PDT 2011


On Mar 16, 2011, at 2:17 PM, Will wrote:

> So, I guess my question is, is there a way to evaluate a DNS query along with its corresponding response and return an IP address in this same event?
> 
> I assume this may be a 'no' if each is handled completely independent.

You're right, each is handled independently.  If you check my github repository, there is a dns-ext.bro script[1], but it has memory trouble on live traffic.  If you still want to test it though, it does what you want by tying the request and response(s) together.

You could write code like this if you load the dns-ext script:

event dns_ext(id: conn_id, di: dns_ext_session_info)
	{
	local subq = second_level_domain(di$query);
	if ( check_domain_list && (query_types[qtype] == "A" || query_types[qtype] == "MX") && subq in hostile_domain_list )
	{
	if( subq in hostile_domain_list[subq] || third_level_domain(di$query) in hostile_domain_list[subq] )
		NOTICE([$note=SensitiveDNS_Lookup, $conn=c, $msg=fmt("%s queried '%s' @ %T (EST) and the responses were: %s", id$orig_h, query, network_time(), di$replies)]);
               }
	}

This is very similar to one of the techniques we'll likely have in the next release for extension of shipped scripts, but that code above should do everything you were looking to do in the script you emailed.

Have fun!
  .Seth

1. https://github.com/sethhall/bro_scripts/blob/master/testing/dns-ext.bro

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list