[Bro] Additional Records in DNS

Chris Crawford christopher.p.crawford at gmail.com
Wed Feb 12 13:44:22 PST 2014 

I finally got a round to giving this a try on bro 2.2, but it looks like
dns_EDNS_addl is still unimplemented.

Nothing happens if I try the old script from earlier in this thread:
event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional){
        print c$uid;
}

To make things simpler, I tried this:
event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional){
        print "Additional";
}


Nothing happens with either script.

I would be happy to take a stab at implementing this myself.  I'm OK with
writing some C or some C++, but I'm not really familiar with how something
in Bro scriptland ultimately ends up calling code in the compiled part of
bro.

I ran a grep over the bro 2.2 code base for dns_EDNS_addl, and these files
seem to be the most promising candidates for where I'd need to add some of
my own code to get this function implemented:

src/analyzer/protocol/dns/events.bif
src/analyzer/protocol/dns/DNS.cc
build/src/analyzer/protocol/dns/events.bif.init.cc
build/src/analyzer/protocol/dns/events.bif.h
build/src/analyzer/protocol/dns/events.bif.cc


Am I on the right track?

If anybody has implemented one of these functions before, would you be
willing to share any tips on what your process was? (i.e. which files did
you have to modify, where did you put your logic, did you use any special
compiler flags to recompile your changes, etc)

Also - does anybody have any pointers on how data flows between the
compiled part of bro and scriptland?

-Chris


On Fri, Jul 12, 2013 at 11:09 AM, Seth Hall <seth at icir.org> wrote:

>
> On Jul 12, 2013, at 11:05 AM, Chris Crawford <
> christopher.p.crawford at gmail.com> wrote:
>
> > Did the core analyzer part get implemented in an update on git after v
> 2.1?
>
> I don't know.  I thought those events were implemented, but perhaps not.
>  It might be worthwhile looking through the analyzer itself to see if they
> are.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140212/6a4394b2/attachment.html

More information about the Bro mailing list