[Bro] Problem with QR field in dns log
Sheharbano Khattak
sheharbano.k at gmail.com
Tue Apr 10 23:30:43 PDT 2012
Dear Bro Team,
I was working with some DNS logs and wanted to look at total number of DNS
MX queries and responses. I used the usual bro-cut/awk/sort/uniq commands
and turned out that there are absolutely no DNS responses within the log. I
know that this is not true, and confirmed via tshark.
I looked at script /base/protocols/dns.bro. In the definition of what goes
into the log, the entry says
## Whether the message is a query (F) or response (T).
QR: bool &log &default=F;
which sounds good. But it seems that QR has not been assigned a value
anywhere in the rest of the code, therefore the default value F is
displayed whether it's a query or a response. Maybe QR should become 'T' in
all the dns_reply(AA/MX/....) events in the script.
Regards,
--
Sheharbano Khattak
http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120410/56a71d78/attachment.html
More information about the Bro
mailing list