[Bro] reverse DNS based on bro's forward DNS query log
Seth Hall
seth at icir.org
Thu Aug 23 08:15:23 PDT 2012
On Aug 23, 2012, at 10:48 AM, Stephane Chazelas <stephane.chazelas at gmail.com> wrote:
> $ tail -1 dns.log
> 1345732627.030897 jUJU3ZwGOv4 x.x.x.x 54866 x.x.x.x 53 udp 44687 static.ak.facebook.com 1 C_INTERNET 1 A 0 NOERROR F F
> F T T 0 static.ak.facebook.com.edgesuite.net,a749.dsw4.akamai.net,84.53.132.80,84.53.132.88 3364.000000,348.000000,15.000000,15.000000
>
> $ dig -x 84.53.132.88 +short
> static.ak.facebook.com.C-EU.120823T143707.
That's cool! Definitely send along anything you can. I'm sure that quite a few people will be interested in this (I am).
In 2.2 we should have some database logging framework writer plugins so we might be able to remove your script eventually and have Bro send these logs directly to the database.
Yet another cool Bro thing! You're on a roll today.
FYI, the mailing list address is bro at bro-ids.org now. The old lbl.gov address was deprecated a while ago.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list