[Bro] Correlate DNS request/response with TCP/UDP connections
Jason Trost
jason.trost at gmail.com
Thu Oct 10 03:50:21 PDT 2013
Is there a good way to correlate DNS requests/responses with subsequent
TCP/UDP connections using Bro (in realtime)? With how my tap is configured
I can see the client's DNS request/response and all their traffic. I want
to be able to combine their DNS request (if there is one) with the
corresponding TCP/UDP following it. For my use case I need this to be done
in realtime (not later by simply doing a JOIN). So, I am interested in a
single log entry with DNS request/response AND connection info.
It seems like this should be possible by basically doing the following:
dns_response.dst_ip == conn.src_ip AND
conn.dst_ip == dns_response.answer_ip AND
(conn.timestamp - dns_response.timestamp) < THRESHOLD
Has anyone done this? Any guidance would be greatly appreciated.
Thanks,
--Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131010/4e7aadd5/attachment.html
More information about the Bro
mailing list