[Bro] DNS and base64 woes
Ryan Kovar
rkovar at gmail.com
Mon Jul 6 12:38:57 PDT 2015
Howdy!
I've been working on detecting base64 encrypted DNS exfil with Bro and
noticed that the default bro_dns.log makes all dns outbound calls
lowercase. But since base64 is case sensitive I can't decode the actual
content anymore… This appears to be a function of the bif.strings.bro (
https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html?highlight=lowercase#id-to_lower).
However, I was wondering if there is a method/switch for bro to report the
DNS string as actually seen in the traffic? Example is show below:
-------
The actual request is:
GAAAAAAAAAAtLS0tLS0tLg==.4sl29das.chickenkiller.com
But bro_dns.log records it as:
gaaaaaaaaaatls0tls0tlg==.4sl29das.chickenkiller.com
--
Cheers,
Ryan Kovar
"Illegitimi non carborundum"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150706/85686f20/attachment.html
More information about the Bro
mailing list