[Bro] Additional Records in DNS
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Feb 13 13:45:54 PST 2014
On Feb 12, 2014, at 3:44 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
> I finally got a round to giving this a try on bro 2.2, but it looks like dns_EDNS_addl is still unimplemented.
It’s not integrated in the default DNS script, but the DNS parser does seem like it can generate that event.
> Am I on the right track?
It’s not clear from your original email if you actually need EDNS support (a particular type of resource record) or just to get the stuff from the Authority and Additional sections of a DNS reply?
If it’s the later, looking at scripts/policy/protocols/dns/auth-addl.bro may help (if not already do exactly what you want). You’ll see the trick about that script are the redefs of “dns_skip_all_auth” and “dns_skip_all_addl” — by default Bro will skip parsing Authority/Additional sections (for “performance reasons” I suppose) unless explicitly told not to.
- Jon
More information about the Bro
mailing list