How filter machine name registration?

Hi,

i want to filter machine name registration on 137/udp port: as you know, all traffic is based on NetBios protocol.

I’ve saw bro source code and seems that the traffic on this port is managed by dns analyzer and not directly by Netbios analyzer.

How can i filter netbios name service registration?

Regards,

Vito

It all shows up in dns.log and you are given access to it through the various DNS events. Could you describe what you are trying to accomplish? Providing a packet capture and describing what you want to get out of it would be the most useful.

  .Seth

Thanks for your reply,

i’ll try to explain my problem better.

I’m trying to log all netbios service name registration: as you have suggested, i’ve filtered dns traffic on 137/udp port and used a filter for a specific opcode (Netbios_registration == 5).

In this way, i’m able to log all netbios registrations, but i’m not able to discern a group name registration from an unique name registration.

Using wireshark, i find this information in an additional record that i can’t see in bro.

For example, using this event

event dns_request (c:connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{

print (msg$num_addl);
}

I can see the presence of an additional record in the packet (msg$num_addl =1), but i can’t see its value.

How can i do in Bro?

Thanks

Vito

redef dns_skip_all_addl=F;

Long ago there was a decision in the DNS analyzer to not process auth and addl records due to load issues. If you make the setting change that I recommended, you can get the extra DNS records.

  .Seth

I’ve tried your solution without any result.

Below you can see the bro script that i’ve used

-----Script.bro----

module Scriptlog;

redef dns_skip_all_addl=F;

export {
redef enum Log::ID += { LOG };

type Info: record {
ts: time &log;
orig_h: addr &log;
orig_p: port &log;
resp_h: addr &log;
resp_p: port &log;
addl: set [string] &log;
};

global Scriptlog_Log: event(rec: Info);
}

event bro_init() &priority=5
{
Log::create_stream(Scriptlog::LOG, [$columns = Info, $ev = Scriptlog_Log]);
}

event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
{

if(msg$num_addl != 0)
{
local myinfo: Info;

myinfo$ts = network_time();
myinfo$orig_h = c$id$orig_h;
myinfo$orig_p = c$id$orig_p;
myinfo$resp_h = c$id$resp_h;
myinfo$resp_p = c$id$resp_p;
myinfo$addl = c$dns$addl;

Log::write(Scriptlog::LOG, myinfo);
}
}

Oh, sorry. That was only part of the solution. Those records attached to the connection record are filled out by scripts, but we don't have scripts that deal with additional RRs. You will have to handle the appropriate events and write your own script to do something with the data.

  .Seth

Ok,

thanks for your reply.

Without any change on source code, what event you suggest to use to handle these data?

Also an event able to give me additional RRs as row data could be fine.

Vito

It depends on the RR type. You can look at the different events for the different RRs here:
  https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_DNS.events.bif.bro.html

I also forgot that there is a script that may add what you are looking for.
@load policy/protocols/dns/auth-addl

You may want to take a look at how that script works to see if it's doing what you want. (also, the DNS::do_reply hook is defined in the DNS scripts and not in the core analyzer)