[Bro] How can I extract the DNS query
Qinwen Hu
qhu009 at aucklanduni.ac.nz
Fri Jan 23 16:46:16 PST 2015
Hi ,
I am a new Bro user. Recently, I observer a new way to launch a IPv6
address scanning. For instance, a attacker sends a IPv6 reverse DNS lookup
query to a target DNS server and extracts a IPv6 record from the reverse
DNS zone.
The DNS query looks like:
0.0.0.0.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa
1.0.0.0.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa
2.0.0.0.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa
0.2.0.0.0.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa
I try to use Bro to detect this kinds of attack. But when I use main.bro to
read my trace file, I can't extract the DNS query? I looked the dns_request
event and added some debug messages in this routine. Again, I can't see
the ip6.arpa query print out.
To detect this attack, I have to extract the DNS query and compare with the
previous query. Is that possible to extract the DNS query by using some
existing functions? Do you have any suggestion?
Many thanks for your attention to this matter. Have a nice day.
Kind regards,
Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150124/9ab34625/attachment.html
More information about the Bro
mailing list