[Bro] DNS and base64 woes

Seth Hall seth at icir.org
Mon Jul 6 13:45:53 PDT 2015

> On Jul 6, 2015, at 3:38 PM, Ryan Kovar <rkovar at gmail.com> wrote:
> I've been working on detecting base64 encrypted DNS exfil with Bro and noticed that the default bro_dns.log makes all dns  outbound calls lowercase. But since base64 is case sensitive I can't decode the actual content anymore

Yes, this is a suboptimal behavior that has been a historic decision for a while now.  We have similar changes in one or two other places as well.  I filed a ticket to make sure we address this for 2.5.



Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150706/9394553f/attachment.bin 

More information about the Bro mailing list