[Bro] Correlate DNS request/response with TCP/UDP connections
Seth Hall
seth at icir.org
Thu Oct 10 05:33:23 PDT 2013
On Oct 10, 2013, at 6:50 AM, Jason Trost <jason.trost at gmail.com> wrote:
> dns_response.dst_ip == conn.src_ip AND
> conn.dst_ip == dns_response.answer_ip AND
> (conn.timestamp - dns_response.timestamp) < THRESHOLD
>
> Has anyone done this? Any guidance would be greatly appreciated.
Are you running a cluster? This type of problem is one of the hardest to solve on distributed analysis.
Otherwise if you are running a single node then it should be fairly easy. I *think* you would essentially want to create a 2-tuple set with a short timeout.
global watch_for_connections: set[addr, addr] = {} &create_timeout=2secs;
You would fill out that set in one or more DNS event handlers and then check to see if any connections are being made in a connection_established handler.
Again though, if you are running a cluster this is a really hard problem.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131010/4e40f208/attachment.bin
More information about the Bro
mailing list