[Bro] DNS and base64 woes
Seth Hall
seth at icir.org
Mon Jul 6 13:45:53 PDT 2015
> On Jul 6, 2015, at 3:38 PM, Ryan Kovar <rkovar at gmail.com> wrote:
>
> I've been working on detecting base64 encrypted DNS exfil with Bro and noticed that the default bro_dns.log makes all dns outbound calls lowercase. But since base64 is case sensitive I can't decode the actual content anymore
Yes, this is a suboptimal behavior that has been a historic decision for a while now. We have similar changes in one or two other places as well. I filed a ticket to make sure we address this for 2.5.
https://bro-tracker.atlassian.net/browse/BIT-1431
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150706/9394553f/attachment.bin
More information about the Bro
mailing list