[Bro] detect-external-names.bro

Adam Pumphrey apumphrey at bricata.com
Mon Jul 24 06:49:07 PDT 2017

It’s actually kind of the other way around, a Notice would only be generated if a.xyz.com is not a local domain name (in other words “xyz.com” is not in Site::local_zones) however Bro sees a DNS query/response where that name resolved to a local IP address.

Think rogue DNS… if a Notice is generated by this script, you’re likely seeing an unauthorized DNS server, using a DNS zone you don’t own or manage, resolve A record queries to your local IP addresses.

Site::local_zones and Site::local_nets must be set manually, Bro won’t do this by analyzing traffic.  However, if you populate networks.cfg, Bro will set Site::local_nets for you when it starts up.

From: Vikram Basu <vikrambasu059 at gmail.com>
Date: Saturday, July 22, 2017 at 2:26 AM
To: "Azoff, Justin S" <jazoff at illinois.edu>, Adam Pumphrey <apumphrey at bricata.com>
Cc: "bro at bro.org" <bro at bro.org>
Subject: RE: [Bro] detect-external-names.bro

Am I correct in saying if xyz.com points to a local IP address but a.xyz.com resolves to an external IP address then the notice is generated.

So both site::local_nets and site::local_zones need to be defined externally in local.bro file using redef statements or does Bro automatically do by analysing traffic.

In addition what does defining the private IP address in the networks.cfg in bro/etc folder do ?


Vikram Basu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170724/d94d7f92/attachment-0001.html 

More information about the Bro mailing list