[Bro] Problem with QR field in dns log
Seth Hall
seth at icir.org
Sun Apr 15 19:58:01 PDT 2012
On Apr 11, 2012, at 2:30 AM, Sheharbano Khattak wrote:
> I looked at script /base/protocols/dns.bro. In the definition of what goes into the log, the entry says
> ## Whether the message is a query (F) or response (T).
> QR: bool &log &default=F;
Hah! Nice catch. That QR field should have been removed before the release. The "log unit" that the DNS log represents is a query and its set of responses so the QR dns flag doesn't even make sense to be there. :)
I just committed a patch to our fastpath branch which will be merged into the master branch soon.
To answer your larger question, just search for MX in the qtype_name field (or 15 in the type field). Each line represents a query and the responses received to the query so most of what you're looking for should be there. Check the field documentation to understand the fields better and please ask if the documentation isn't clear.
http://www.bro-ids.org/documentation/scripts/base/protocols/dns/main.html?highlight=dns%20main#type-DNS::Info
Thanks!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list