[Bro] How to check the length of NDS request packets?
Hongda Li
hongdal at g.clemson.edu
Thu Jun 8 13:37:59 PDT 2017
>> On Jun 8, 2017, at 4:02 PM, Hongda Li <hongdal at g.clemson.edu> wrote:
>>
>> The problem is the "dns_request" event does not provide packet length,
which means, for every DNS request, I have to check the requested domain
name. This is expensive.
>Why do you say that it is expensive? Getting the length of a string in
bro is an O(1) operation.
Thanks, Justin.
But I am worrying about the cost of DPI, since dns_request event contains
dns_msg, query string and many other information that are not necessary
when I only look at the length of the packet.
For most of the DNS request packets, I would like to check the length. Only
those packets with greater length will be checked for querying strings.
Can I specify a filter that only checks the length of DNS request, like
BPF, to the live traffic in my policy script?
Best regards,
Hongda
----------------------
Hongda Li, Graduate Research Assistant
Division of Computer Science, School of Computing
Clemson University
Email: hongdal at clemson.edu
On Thu, Jun 8, 2017 at 4:17 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>
> > On Jun 8, 2017, at 4:02 PM, Hongda Li <hongdal at g.clemson.edu> wrote:
> >
> > The problem is the "dns_request" event does not provide packet length,
> which means, for every DNS request, I have to check the requested domain
> name. This is expensive.
>
> Why do you say that it is expensive? Getting the length of a string in
> bro is an O(1) operation.
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170608/69ace87a/attachment.html
More information about the Bro
mailing list