[Bro] JustinAzoff/bro-pdns

Azoff, Justin S jazoff at illinois.edu
Mon Nov 14 07:57:34 PST 2016 

Hi :-)

Yes.. the python version worked, but the performance when using remote databases was not that good.  It was also really hard for people to install correctly.

Also, it turned out that using the log postprocessor to execute the tool during log rotation was really fragile.

I re-wrote it as a simpler tool that can just read existing bro log archives instead of needing to be ran from bro.

I implemented a sqlite and a postgresql backend, but haven't done mysql yet.  It's fully functional, but it needs some polishing.

$ ./bro-pdns index big.log
2016/11/14 10:44:11 big.log: Aggregation: Duration=3.9 TotalRecords=1058400 SkippedRecords=0 Tuples=1496 Individual=1962
2016/11/14 10:44:11 batch: Store: Duration=0.1 Inserted=3458 Updated=0
$ ./bro-pdns index big.log
2016/11/14 10:55:35 big.log: Already indexed
$ ./bro-pdns like tuple google.com|head
Query	Type	Answer	Count	TTL	First	Last
clients3.google.com	A	173.194.46.64	144	70	2014-03-14 14:31:06	2014-03-14 14:31:06
clients3.google.com	A	173.194.46.65	144	70	2014-03-14 14:31:06	2014-03-14 14:31:06
clients3.google.com	A	173.194.46.66	144	70	2014-03-14 14:31:06	2014-03-14 14:31:06

$ ./bro-pdns web --listen :8081&
[1] 7449
2016/11/14 10:51:59 Listening on ":8081"

$ curl -s localhost:8081/dns/like/tuples/173.194.46.64  | jq . | head
[
  {
    "Last": "2014-03-14 14:31:20",
    "First": "2014-03-14 14:31:20",
    "TTL": 300,
    "Count": 288,
    "Answer": "173.194.46.64",
    "Type": "A",
    "Query": "maps.google.nl"
  },

Indexing all bro logs currently involves a find -name 'dns.*' | xargs -n 50 bro-pdns index

-- 
- Justin Azoff

> On Nov 14, 2016, at 10:19 AM, puntogtg at tiscali.it wrote:
> 
> I was using it with mysql, but performances was not so good.
> Time ago I Wrote to Justin and he told me he was rewriting code: https://github.com/JustinAzoff/bro-pdns/tree/go-rewrite
> 
> 
> Il 14.11.2016 16:04 Obndnar smith ha scritto:
> 
>> Has anyone had any luck getting this passive dns script to work?  I can't seem to get any of the data from Bro to get into the mysql server.  Has anyone gotten this to work and have any tips or tricks to get it working?
>> https://github.com/JustinAzoff/bro-pdns
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list