[Bro] How to check the length of NDS request packets?
Hongda Li
hongdal at g.clemson.edu
Thu Jun 8 13:02:56 PDT 2017
Hi All,
I am going to write a script that detects DNS tunneling.
First the script checks all DNS request packets to see the length.
If the length of a DNS request packet exceeds a threshold, say, 255 bytes,
then this packet will be sent for DPI to check the requested domain name.
The problem is the "dns_request" event does not provide packet length,
which means, for every DNS request, I have to check the requested domain
name. This is expensive.
If I use "raw_packet" or "new_packet" events, then every new packet will
trigger an event, which is also expensive.
Is there a way that only triggers an event for a DNS request packet (e.g.,
based on the protocol and port number), and I can determine whether DPI is
necessary for this DNS request packet based on its length?
I am appreciate for any inputs!
Best regards,
Hongda
----------------------
Hongda Li, Graduate Research Assistant
Division of Computer Science, School of Computing
Clemson University
Email: hongdal at clemson.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170608/dd6cbdf5/attachment.html
More information about the Bro
mailing list