[Bro] Fwd: BRO: DNS TTL
Shaleta Bennett
shaleta.bennett at gmail.com
Wed Feb 12 11:09:59 PST 2014
Hi, I would like to detect if DNS Request for a host occurred before the
TTL expired for that particular host. I gave it try but it doesn't work. My
code is below. Can anyone help me with this or tell me what I am
doing wrong?
Thanks,
Shaleta
---------- Forwarded message ----------
From: Shaleta Bennett <shaleta.bennett at gmail.com>
Date: Tue, Feb 11, 2014 at 8:31 PM
Subject: BRO: DNS TTL
To: bro at bro.org
Hi, I am trying to detect if a dns request is made before its TTL has
expired. For example, if I make a request to www.example.com and I
immediately make another request towww.example.com before the TTL is up, I
would like to see a notice for this. The code below compiles without errors
but I am not getting any notice for the example explained above. I think
there may be an issue with the TTL vector. I would like to store it in a
vector the same way I did for dnsTime and dnsQuery. However, TTLs is
already a vector of interval. Do you have any suggestions after viewing the
code below? Thanks.
redef enum Notice:: Type+= {DetectDNSTTL}
global dnsTime: time;
global dnsQuery: string;
global dsnTTL: vector of interval;
global dnsTimeVector: vector of time;
global dnsQueryVector: vector of string;
global dnsTTLVector: vector of interval;
event dns_request (c:connection, msg: dns_msg, query: string, qtype: count,
qclass: count)
{
dnsTime = c$dns$ts;
dnsQuery = c$dns$query;
dnsTTL = c$dns$TTLs;
dnsTimeVector = vector(dnsTime);
dnsQueryVector = vector(dnsQuery);
#save vector TTLs in dnsTTLVector
for (j in dnsTTL)
{
dnsTTLVector = vector(dnsTTL[j]);
}
#check if query is already in vector
for (i in dnsQueryVector)
{
if (dnsQuery == dnsQueryVector[i])
{
#Calculate the TTL expiration by adding the dns request TTL and time
local ttlExpiration = dnsTTLVector[i] + dnsTimeVector[i];
#Send a notice if dns request time is less than TTL expiration time
if (dnsTime <= ttlExpiration )
{
NOTICE([$note = DetectDNSTTL,
$msg = "DNS Request occurred before TTL expired",
$conn = c] );
}
}
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140212/aa0118af/attachment.html
More information about the Bro
mailing list