[Bro] Is DNS Query equal to HTTP Host?
anthony kasza
anthony.kasza at gmail.com
Thu Feb 13 08:55:34 PST 2014
A connection object is created for a DNS query and a DNS response.
Subsequent connections made utilizing the results of that DNS query have
their own connection objects. You'll have to keep a DNS cache in userland
and watch for connections to the resolved IP address with HTTP host fields
differing from the domain that was resolved in the cache.
-AK
On Feb 13, 2014 8:28 AM, "Shaleta Bennett" <shaleta.bennett at gmail.com>
wrote:
> Hi can anyone help me figure out if the dns query is the same as the http
> host?
>
> I've tried doing the following but did not get any output.
>
> if(c$dns$query == c$http$host)
> {
>
> #send notice to notice.log
> }
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140213/d430ce82/attachment.html
More information about the Bro
mailing list