[Bro] Bro and Counting DNS rcodes
Liam Randall
liam at broala.com
Thu Nov 7 12:44:27 PST 2013
Conner are you on 2.1? There was a bug that has been fixed in the current
code base.
You could also simply summarize the existing dns.log with something like
this:
[bro at new-host-3 dns-ad-bruteforce]$ less dns.log | bro-cut rcode rcode_name
| sort | uniq -c | sort -n
32 - -
1704 0 NOERROR
2279 3 NXDOMAIN
The columns are Count / Return Code / Return Code Name.
Thanks,
Liam Randall
On Thu, Nov 7, 2013 at 3:27 PM, Rosebraugh, Connar <
connar.rosebraugh at egov.com> wrote:
> I am trying to use Bro to count DNS rcodes, but it is returning numbers
> that are not correct. I am using the dns_message() event to collect the DNS
> messages, and I am using a pcap of 5000 packets that are all on port 53.
> After inspecting the packets in wireshark, I found that there were ~600
> query results where rcode == 3. However, after running my script, not only
> did Bro only find 1 rcode == 3, but it only counted 2497 DNS messages. Is
> there something that I am missing?
>
>
>
> Attached is the script that I am using to collect the rcodes. If you see
> some glaring logical error, please let me know.
>
>
>
> Thanks,
>
> Connar Rosebraugh
>
> Intern, Security Operations
>
> NICUSA, Inc.
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Liam Randall
Managing Partner
510-281-0760
www.Broala.com <http://www.broala.com/>
>From the creators of Bro <http://www.bro.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131107/e56d002d/attachment.html
More information about the Bro
mailing list