topic/jsiwek/dns-improvements

Description

This branch is in bro, bro-testing, and bro-testing-private repos.

  • Fixes incorrect parsing of DNS message format for messages with empty question sections.

  • Changes dns.log to only include standard queries (opcode == 1).

  • Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to parse, which improves accuracy of request-reply pair matching performed by the default DNS scripts.

Environment

None

Activity

Show:
Jon Siwek
January 31, 2014, 10:36 AM

I just pushed another commit on this branch containing a rewrite of the query-reply state tracking and matching logic. It now relies on "dns_end" event to pair messages and log them. The old way of tracking the number of resource records seen versus the total number declared in the reply message is too unreliable in many cases.

Seth Hall
February 10, 2014, 3:57 PM

Done

Merged

Assignee

Seth Hall

Reporter

Jon Siwek

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal