[Bro] Adding dns entry to bro logs
Azoff, Justin S
jazoff at illinois.edu
Wed Jul 26 09:48:28 PDT 2017
> On Jul 26, 2017, at 12:37 PM, Mike Dopheide <dopheide at gmail.com> wrote:
>
> However, I'd heavily caution you against doing that every time a log writes. For one, it's extremely expensive. Second, the when() call spawns a separate process, so if it works at all, you'd need to somehow delay your log writes while that field populates.
Yeah this would not work that well in practice.
> Just thinking out loud, if your DHCP pool isn't too huge, you could do the lookups on some interval and just populate a table that you reference later. Not perfect, but close.
I was thinking exactly this. You just need some tool written in any language to output a file like
#fields ip name
10.0.0.1 boxone
10.0.0.2 otherbox
10.0.0.3 thirdbox
(with tabs and not spaces) and then bro can load that into a table[addr] of string; and you can reference it as often as you need.
--
- Justin Azoff
More information about the Bro
mailing list