[Bro] Incorporating dns_reponse in dns_request
Will
baxterw3232 at gmail.com
Thu Mar 17 12:31:38 PDT 2011
Thanks Seth.
I will let you know how it works for us. I can understand how it could
strain system resources attempting to correlate the events in real time. It
will also be interesting to see how it will react on a domain that is
sinkhole'd. Our spam appliance, for example, will retry the query 8-10 times
until it gives up on domains we have sunk.
Will
On Thu, Mar 17, 2011 at 3:25 PM, Seth Hall <seth at icir.org> wrote:
>
> On Mar 17, 2011, at 3:17 PM, Seth Hall wrote:
>
> > if ( check_domain_list && (query_types[qtype] == "A" ||
> query_types[qtype] == "MX") && subq in hostile_domain_list )
>
> Oops, almost complete. The above should be...
>
> if ( check_domain_list && (query_types[di$qtype] == "A" ||
> query_types[di$qtype] == "MX") && subq in hostile_domain_list )
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110317/8458ac47/attachment.html
More information about the Bro
mailing list