[Bro] Additional Records in DNS

Seth Hall seth at icir.org
Wed Jul 10 13:25:24 PDT 2013


On Jul 10, 2013, at 4:04 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:

> # scripts/base/protocols/dns/main.bro
>  318 # TODO: figure out how to handle these
>  324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
> 
> Has anyone worked out a way to grab this information from a DNS reply?
> 
> If not, could anyone point me in the right direction so that I can roll my own solution?

The core analyzer part is implemented, the reason that comment is there is that I wasn't exactly sure how I should represent data from those events in the dns.log.

You can handle that event and get the data.  Please get in touch with me if you have ideas or scripts that show how that data could be represented sanely in the dns.log.

thanks,
  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list