Bro and Counting DNS rcodes

I am trying to use Bro to count DNS rcodes, but it is returning numbers that are not correct. I am using the dns_message() event to collect the DNS messages, and I am using a pcap of 5000 packets that are all on port 53. After inspecting the packets in wireshark, I found that there were ~600 query results where rcode == 3. However, after running my script, not only did Bro only find 1 rcode == 3, but it only counted 2497 DNS messages. Is there something that I am missing?

Attached is the script that I am using to collect the rcodes. If you see some glaring logical error, please let me know.


Connar Rosebraugh

Intern, Security Operations


test.bro.txt (6.79 KB)

Conner are you on 2.1? There was a bug that has been fixed in the current code base.

You could also simply summarize the existing dns.log with something like this:

[bro@new-host-3 dns-ad-bruteforce]$ less dns.log | bro-cut rcode rcode_name | sort | uniq -c | sort -n
32 - -
1704 0 NOERROR

The columns are Count / Return Code / Return Code Name.


Liam Randall