[Bro] detect-external-names.bro

[Adam Pumphrey]

It checks responses to DNS A record queries for an IP address in the answer that is considered local (based on the Site::local_nets variable), but the resolved DNS name (the query) is not in a local DNS zone (based on the Site::local_zones variable).

The IP and query locality tests in this script depend on both the Site::local_nets and Site::local_zones variables.  If Site::local_zones is populated correctly, this script uses the Site::is_local_name function to see if the queried name belongs to a local DNS zone.  Underneath its using a regular expression to match any subdomains of a zone specified in local_zones.

If the query doesn’t appear to be in a local zone, but the IP in the answer was, the script generates a Notice.

From: <bro-bounces at bro.org> on behalf of Vikram Basu <vikrambasu059 at gmail.com>
Date: Wednesday, July 19, 2017 at 7:57 AM
To: "bro at bro.org" <bro at bro.org>
Subject: [Bro] detect-external-names.bro


Hi,

I am confused what the protocols/dns/detect-external-names.bro script is actually doing. The documentation reads
“This script detects names which are not within zones considered to be local but resolving to addresses considered local. The Site::local_zones<https://www.bro.org/sphinx/scripts/base/utils/site.bro.html#id-Site::local_zones> variable must be set appropriately for this detection.”

What does ‘names which are not within zones considered to be local but resolving to addresses considered local’ mean? And how is it determined ?
Can you give an example which makes this clearer ?

Regards

Vikram Basu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170719/7f88918a/attachment.html