[Bro] detect-external-names.bro

Wed Jul 19 12:20:18 PDT 2017

> On Jul 19, 2017, at 3:07 PM, Adam Pumphrey <apumphrey at bricata.com> wrote:
> 
> It checks responses to DNS A record queries for an IP address in the answer that is considered local (based on the Site::local_nets variable), but the resolved DNS name (the query) is not in a local DNS zone (based on the Site::local_zones variable).   
>  
> The IP and query locality tests in this script depend on both the Site::local_nets and Site::local_zones variables.  If Site::local_zones is populated correctly, this script uses the Site::is_local_name function to see if the queried name belongs to a local DNS zone.  Underneath its using a regular expression to match any subdomains of a zone specified in local_zones.    
>  
> If the query doesn’t appear to be in a local zone, but the IP in the answer was, the script generates a Notice. 
>  

Exactly right.  If you haven't already, I would say to just read the script.  It's probably one of the most simple, but still useful scripts that ship with bro.  Aside from some boilerplate that is common to any script that raises a notice and the event handling, the entire script is just a single if statement:

    if ( Site::is_local_addr(a) &&            # referring to a local host
         ! Site::is_local_name(ans$query) )   # name isn't in a local zone.
         # raise notice here

-- 
- Justin Azoff