[Bro] How filter machine name registration?
Vito Logrillo
vitologrillo at gmail.com
Tue Oct 28 00:59:47 PDT 2014
I've tried your solution without any result.
Below you can see the bro script that i've used
-----Script.bro----
module Scriptlog;
redef dns_skip_all_addl=F;
export {
redef enum Log::ID += { LOG };
type Info: record {
ts: time &log;
orig_h: addr &log;
orig_p: port &log;
resp_h: addr &log;
resp_p: port &log;
addl: set [string] &log;
};
global Scriptlog_Log: event(rec: Info);
}
event bro_init() &priority=5
{
Log::create_stream(Scriptlog::LOG, [$columns = Info, $ev =
Scriptlog_Log]);
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count,
qclass: count) &priority=5
{
if(msg$num_addl != 0)
{
local myinfo: Info;
myinfo$ts = network_time();
myinfo$orig_h = c$id$orig_h;
myinfo$orig_p = c$id$orig_p;
myinfo$resp_h = c$id$resp_h;
myinfo$resp_p = c$id$resp_p;
myinfo$addl = c$dns$addl;
Log::write(Scriptlog::LOG, myinfo);
}
}
---------------
In reporter.log i have this error
Reporter::ERROR field value missing [Scriptlog::c$dns$addl]
What can i do?
Thanks,
Vito
2014-10-27 15:56 GMT+01:00 Seth Hall <seth at icir.org>:
>
> On Oct 27, 2014, at 4:55 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
>
> > I can see the presence of an additional record in the packet
> (msg$num_addl =1), but i can't see its value.
> > How can i do in Bro?
>
> redef dns_skip_all_addl=F;
>
> Long ago there was a decision in the DNS analyzer to not process auth and
> addl records due to load issues. If you make the setting change that I
> recommended, you can get the extra DNS records.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141028/501e10dc/attachment.html
More information about the Bro
mailing list