[Zeek] Flow stats in dns_end event
Jon Siwek
jsiwek at corelight.com
Wed Apr 22 10:22:28 PDT 2020
On Wed, Apr 22, 2020 at 12:15 AM Nabil Memon <nabilmemon.ec at gmail.com> wrote:
> Stats gets updated in connection record after dns_end() event raised????
Yes, the "dns_end" event and associated values can get
created/enqueued before the states are updated. However, the updated
stats *are* technically available by the time the event gets
dispatched, so one trick to refresh the connection record value would
be to use "lookup_connection()". See if this helps:
event dns_end(c: connection, msg: dns_msg)
{
c = lookup_connection(c$id);
print "dns_end: -------------------------------";
print c$orig, c$resp, c$id, c$dns;
print "dns_end: -------------------------------";
}
- Jon
More information about the Zeek
mailing list