[Bro] Adding dns entry to bro logs

Keith Midwinter kmidwinter at exoendo.com
Wed Jul 26 10:39:21 PDT 2017 

Hi Mike,
Thanks for the info. I would like to do a load test as the box is pretty beefy and doesn't see a lot of traffic (2000 logs per minute). What file would I be editing to add the below code segment?
Thanks!
Keith
Ps currently dhcp and bro logs do go to the Splunk.
________________________________
From: Mike Dopheide <dopheide at gmail.com>
Sent: Wednesday, July 26, 2017 12:37:32 PM
To: Keith Midwinter
Cc: bro at bro.org
Subject: Re: [Bro] Adding dns entry to bro logs

The only way I know to do a lookup (someone please chime in), is using when(), something like this, which I stole from urls.bro originally:

when(local m_addrs = lookup_hostname(m_no_scheme)){
    for(m_addr in m_addrs){

        # ie, the lookup succeeded
        if(m_addr != 0.0.0.0){
            ###  DO YOUR THING
        }
    }
}
# timeout 5sec{
#     print fmt("timeout");
# }

However, I'd heavily caution you against doing that every time a log writes.  For one, it's extremely expensive.  Second, the when() call spawns a separate process, so if it works at all, you'd need to somehow delay your log writes while that field populates.

Just thinking out loud, if your DHCP pool isn't too huge, you could do the lookups on some interval and just populate a table that you reference later.  Not perfect, but close.

I'd probably just recommend having the DHCP logs pushed to the same SIEM as my Bro data.

-Dop


On Wed, Jul 26, 2017 at 8:38 AM, Keith Midwinter <kmidwinter at exoendo.com<mailto:kmidwinter at exoendo.com>> wrote:
Hi,
I am using bro internally on a network that uses dhcp to assign ip addresses so if I want to investigate something that happened yesterday then doing a nslookup today wont tell me what host it was assigned to at the time the log was created. So is there a way to do an nslookup at the time of log creation and add it to the logs?

I did some googling and found a reference to extending the log format and running scripts but it wasn't enough for me to figure it out.
Thanks,
Keith

_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170726/4b8bb051/attachment-0001.html

More information about the Bro mailing list