I’m trying to write a bro script that pulls out authoritative nameservers and additional records from DNS.
I think I need the the dns_EDNS_addl event to get at that part of a DNS reply, since the dns_edns_additional structure seems like it has the information I’m looking for:
http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edns_additional
Unfortunately, it looks like dns_EDNS_addl isn’t implemented yet:
scripts/base/protocols/dns/main.bro
318 # TODO: figure out how to handle these
324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
Has anyone worked out a way to grab this information from a DNS reply?
If not, could anyone point me in the right direction so that I can roll my own solution?
-Chris
The core analyzer part is implemented, the reason that comment is there is that I wasn't exactly sure how I should represent data from those events in the dns.log.
You can handle that event and get the data. Please get in touch with me if you have ideas or scripts that show how that data could be represented sanely in the dns.log.
thanks,
.Seth
I wrote a short bro script to test out dns_EDNS_addl:
event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional){
print c$uid;
}
But nothing happens when I run the script over some pcap that has DNS with additional records.
I tried this with bro 2.1:
$ bro -v
bro version 2.1
Did the core analyzer part get implemented in an update on git after v 2.1?
I don't know. I thought those events were implemented, but perhaps not. It might be worthwhile looking through the analyzer itself to see if they are.
.Seth
I finally got a round to giving this a try on bro 2.2, but it looks like dns_EDNS_addl is still unimplemented.
Nothing happens if I try the old script from earlier in this thread:
event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional){
print c$uid;
}
To make things simpler, I tried this:
event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional){
print “Additional”;
}
Nothing happens with either script.
I would be happy to take a stab at implementing this myself. I’m OK with writing some C or some C++, but I’m not really familiar with how something in Bro scriptland ultimately ends up calling code in the compiled part of bro.
I ran a grep over the bro 2.2 code base for dns_EDNS_addl, and these files seem to be the most promising candidates for where I’d need to add some of my own code to get this function implemented:
src/analyzer/protocol/dns/events.bif
src/analyzer/protocol/dns/DNS.cc
build/src/analyzer/protocol/dns/events.bif.init.cc
build/src/analyzer/protocol/dns/events.bif.h
build/src/analyzer/protocol/dns/events.bif.cc
Am I on the right track?
If anybody has implemented one of these functions before, would you be willing to share any tips on what your process was? (i.e. which files did you have to modify, where did you put your logic, did you use any special compiler flags to recompile your changes, etc)
Also - does anybody have any pointers on how data flows between the compiled part of bro and scriptland?
-Chris
I finally got a round to giving this a try on bro 2.2, but it looks like dns_EDNS_addl is still unimplemented.
It’s not integrated in the default DNS script, but the DNS parser does seem like it can generate that event.
Am I on the right track?
It’s not clear from your original email if you actually need EDNS support (a particular type of resource record) or just to get the stuff from the Authority and Additional sections of a DNS reply?
If it’s the later, looking at scripts/policy/protocols/dns/auth-addl.bro may help (if not already do exactly what you want). You’ll see the trick about that script are the redefs of “dns_skip_all_auth” and “dns_skip_all_addl” — by default Bro will skip parsing Authority/Additional sections (for “performance reasons” I suppose) unless explicitly told not to.
- Jon
scripts/policy/protocols/dns/auth-addl.bro is exactly what I was looking for. Thanks!