[Bro] Correlate DNS request/response with TCP/UDP connections

anthony kasza anthony.kasza at gmail.com
Thu Oct 10 21:09:13 PDT 2013 

I think Seth meant &create_expire. But yeah, this is totally possible if
you're running a single node/standalone mode. You could also use something
like

type DNSqr record {
query: string;
asking_host: addr;
};
dns_query_cache: table[addr] of DNSqr &create_expire=2secs;

where the dns_query_cache is indexed by answer addresses (the a value in
dns_A_reply events).

-AK


On Thu, Oct 10, 2013 at 5:33 AM, Seth Hall <seth at icir.org> wrote:

>
> On Oct 10, 2013, at 6:50 AM, Jason Trost <jason.trost at gmail.com> wrote:
>
> >    dns_response.dst_ip == conn.src_ip AND
> >     conn.dst_ip == dns_response.answer_ip AND
> >     (conn.timestamp - dns_response.timestamp) < THRESHOLD
> >
> > Has anyone done this?  Any guidance would be greatly appreciated.
>
>
> Are you running a cluster?  This type of problem is one of the hardest to
> solve on distributed analysis.
>
> Otherwise if you are running a single node then it should be fairly easy.
>  I *think* you would essentially want to create a 2-tuple set with a short
> timeout.
>
> global watch_for_connections: set[addr, addr] = {} &create_timeout=2secs;
>
> You would fill out that set in one or more DNS event handlers and then
> check to see if any connections are being made in a connection_established
> handler.
>
> Again though, if you are running a cluster this is a really hard problem.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



On Thu, Oct 10, 2013 at 5:33 AM, Seth Hall <seth at icir.org> wrote:

>
> On Oct 10, 2013, at 6:50 AM, Jason Trost <jason.trost at gmail.com> wrote:
>
> >    dns_response.dst_ip == conn.src_ip AND
> >     conn.dst_ip == dns_response.answer_ip AND
> >     (conn.timestamp - dns_response.timestamp) < THRESHOLD
> >
> > Has anyone done this?  Any guidance would be greatly appreciated.
>
>
> Are you running a cluster?  This type of problem is one of the hardest to
> solve on distributed analysis.
>
> Otherwise if you are running a single node then it should be fairly easy.
>  I *think* you would essentially want to create a 2-tuple set with a short
> timeout.
>
> global watch_for_connections: set[addr, addr] = {} &create_timeout=2secs;
>
> You would fill out that set in one or more DNS event handlers and then
> check to see if any connections are being made in a connection_established
> handler.
>
> Again though, if you are running a cluster this is a really hard problem.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131010/c970cfbe/attachment.html

More information about the Bro mailing list