How to use the table and queue in Bro

Hi All,

I am a new user for Bro. Recently, I try to use Bro to look at the reverse lookup searching. Therefore, I would like to save all reverse lookup packets into a queue or array based on the source address. When the next income packet arrive, I will check the source address, if I have this record, then I will compare the current packet with the previous reverse lookup packets.

I find a example in /dns/main.bro that I can use the table and queue together. So I have defined my table “checking” in the following structure.

type State: record {
checking: table[addr] of Queue::Queue;
finished_answers: set[count];

I also modified bro/base/protocol/dns/main.bro and add my logic inside of event dns request. I check the DNS query, if the query is reverse lookup query, I will process the following logic

if (c$id$orig_h !in c$dns_state$checking)
c$dns_state$checking[c$id$orig_h] = Queue::init();

if ( Queue::len(c$dns_state$checking[c$id$orig_h]) !=0)
local tmpString1 = Queue::peek(c$dns_state$checking[c$id$orig_h]);
local startIndex = 0;

checking the search pattern

startIndex = strstr(tmpString,tmpString1);
startIndex = strstr(tmpString1,tmpString);

Queue::put(c$dns_state$checking[c$id$orig_h], tmpString);

I have a problem in " if (c$id$orig_h !in c$dns_state$checking) ", I find for every new reverse lookup request , my code will initiated a new queue. and the IF condition( if (c$id$orig_h !in c$dns_state$checking)) hasn’t been applied for my code. because I have some packets from the same source address.

So, I am confusing, because I have used the source address as a index for the table, and for every income packet, I will check either I have the source address in the table or not.

If you have any ideas, could you please let me know? Many thanks for your time to read my Email.