Hi, I am trying to detect if a dns request is made before its TTL has expired. For example, if I make a request to www.example.com and I immediately make another request towww.example.com before the TTL is up, I would like to see a notice for this. The code below compiles without errors but I am not getting any notice for the example explained above. I think there may be an issue with the TTL vector. I would like to store it in a vector the same way I did for dnsTime and dnsQuery. However, TTLs is already a vector of interval. Do you have any suggestions after viewing the code below? Thanks.
redef enum Notice:: Type+= {DetectDNSTTL}
global dnsTime: time;
global dnsQuery: string;
global dsnTTL: vector of interval;
global dnsTimeVector: vector of time;
global dnsQueryVector: vector of string;
global dnsTTLVector: vector of interval;
event dns_request (c:connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
dnsTime = c$dns$ts;
dnsQuery = c$dns$query;
dnsTTL = c$dns$TTLs;
dnsTimeVector = vector(dnsTime);
dnsQueryVector = vector(dnsQuery);
#save vector TTLs in dnsTTLVector
for (j in dnsTTL)
{
dnsTTLVector = vector(dnsTTL[j]);
}
#check if query is already in vector
for (i in dnsQueryVector)
{
if (dnsQuery == dnsQueryVector[i])
{
#Calculate the TTL expiration by adding the dns request TTL and time
local ttlExpiration = dnsTTLVector[i] + dnsTimeVector[i];
#Send a notice if dns request time is less than TTL expiration time
if (dnsTime <= ttlExpiration )
{
NOTICE([$note = DetectDNSTTL,
$msg = “DNS Request occurred before TTL expired”,
$conn = c] );
}
}
}
}