[Bro] Adding dns entry to bro logs
Mike Dopheide
dopheide at gmail.com
Wed Jul 26 09:37:32 PDT 2017
The only way I know to do a lookup (someone please chime in), is using
when(), something like this, which I stole from urls.bro originally:
when(local m_addrs = lookup_hostname(m_no_scheme)){
for(m_addr in m_addrs){
# ie, the lookup succeeded
if(m_addr != 0.0.0.0){
### DO YOUR THING
}
}
}
# timeout 5sec{
# print fmt("timeout");
# }
However, I'd heavily caution you against doing that every time a log
writes. For one, it's extremely expensive. Second, the when() call spawns
a separate process, so if it works at all, you'd need to somehow delay your
log writes while that field populates.
Just thinking out loud, if your DHCP pool isn't too huge, you could do the
lookups on some interval and just populate a table that you reference
later. Not perfect, but close.
I'd probably just recommend having the DHCP logs pushed to the same SIEM as
my Bro data.
-Dop
On Wed, Jul 26, 2017 at 8:38 AM, Keith Midwinter <kmidwinter at exoendo.com>
wrote:
> Hi,
> I am using bro internally on a network that uses dhcp to assign ip
> addresses so if I want to investigate something that happened yesterday
> then doing a nslookup today wont tell me what host it was assigned to at
> the time the log was created. So is there a way to do an nslookup at the
> time of log creation and add it to the logs?
>
> I did some googling and found a reference to extending the log format and
> running scripts but it wasn't enough for me to figure it out.
> Thanks,
> Keith
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170726/e284d259/attachment-0001.html
More information about the Bro
mailing list