Howdy!
I’ve been working on detecting base64 encrypted DNS exfil with Bro and noticed that the default bro_dns.log makes all dns outbound calls lowercase. But since base64 is case sensitive I can’t decode the actual content anymore… This appears to be a function of the bif.strings.bro (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html?highlight=lowercase#id-to_lower).
However, I was wondering if there is a method/switch for bro to report the DNS string as actually seen in the traffic? Example is show below: