DNS and base64 woes

Ryan_Kovar · July 6, 2015, 7:38pm

Howdy!

I’ve been working on detecting base64 encrypted DNS exfil with Bro and noticed that the default bro_dns.log makes all dns outbound calls lowercase. But since base64 is case sensitive I can’t decode the actual content anymore… This appears to be a function of the bif.strings.bro (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html?highlight=lowercase#id-to_lower).
However, I was wondering if there is a method/switch for bro to report the DNS string as actually seen in the traffic? Example is show below:

Seth_Hall3 · July 6, 2015, 8:45pm

Yes, this is a suboptimal behavior that has been a historic decision for a while now. We have similar changes in one or two other places as well. I filed a ticket to make sure we address this for 2.5.

https://bro-tracker.atlassian.net/browse/BIT-1431

.Seth

Topic		Replies	Views
DNS query logging Zeek	4	116	May 6, 2022
reverse DNS based on bro's forward DNS query log Zeek	3	86	May 6, 2022
Questions about Bro's DNS Parser Zeek	13	139	May 6, 2022
Not recording SOME dns lookups... Zeek	2	175	May 6, 2022
DNS request type empty Zeek	2	79	May 6, 2022

DNS and base64 woes

Related topics