[Bro] Additional Records in DNS

Chris Crawford christopher.p.crawford at gmail.com
Fri Feb 14 10:07:03 PST 2014


scripts/policy/protocols/dns/auth-addl.bro is exactly what I was looking
for.  Thanks!


On Thu, Feb 13, 2014 at 4:45 PM, Siwek, Jonathan Luke
<jsiwek at illinois.edu>wrote:

>
> On Feb 12, 2014, at 3:44 PM, Chris Crawford <
> christopher.p.crawford at gmail.com> wrote:
>
> > I finally got a round to giving this a try on bro 2.2, but it looks like
> dns_EDNS_addl is still unimplemented.
>
> It's not integrated in the default DNS script, but the DNS parser does
> seem like it can generate that event.
>
> > Am I on the right track?
>
> It's not clear from your original email if you actually need EDNS support
> (a particular type of resource record) or just to get the stuff from the
> Authority and Additional sections of a DNS reply?
>
> If it's the later, looking at scripts/policy/protocols/dns/auth-addl.bro
> may help (if not already do exactly what you want).  You'll see the trick
> about that script are the redefs of "dns_skip_all_auth" and
> "dns_skip_all_addl" -- by default Bro will skip parsing Authority/Additional
> sections (for "performance reasons" I suppose) unless explicitly told not
> to.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140214/f3ab46e4/attachment.html 


More information about the Bro mailing list