How to check the length of NDS request packets?

Hi All,

I am going to write a script that detects DNS tunneling.

First the script checks all DNS request packets to see the length.
If the length of a DNS request packet exceeds a threshold, say, 255 bytes, then this packet will be sent for DPI to check the requested domain name.

The problem is the “dns_request” event does not provide packet length, which means, for every DNS request, I have to check the requested domain name. This is expensive.

If I use “raw_packet” or “new_packet” events, then every new packet will trigger an event, which is also expensive.

Is there a way that only triggers an event for a DNS request packet (e.g., based on the protocol and port number), and I can determine whether DPI is necessary for this DNS request packet based on its length?

I am appreciate for any inputs!

Best regards,

Why do you say that it is expensive? Getting the length of a string in bro is an O(1) operation.

Thanks, Justin.

But I am worrying about the cost of DPI, since dns_request event contains dns_msg, query string and many other information that are not necessary when I only look at the length of the packet.

For most of the DNS request packets, I would like to check the length. Only those packets with greater length will be checked for querying strings.

Can I specify a filter that only checks the length of DNS request, like BPF, to the live traffic in my policy script?

Best regards,

I am going to write a script that detects DNS tunneling.

BTW, if it's not on your radar you should check out our paper on doing this:

In generally, finding tunneling is much more involved than looking for
long lookups, for example.