Hi All,
I am a new user for Bro. Recently, I try to use Bro to look at the reverse lookup searching. Therefore, I would like to save all reverse lookup packets into a queue or array based on the source address. When the next income packet arrive, I will check the source address, if I have this record, then I will compare the current packet with the previous reverse lookup packets.
I find a example in /dns/main.bro that I can use the table and queue together. So I have defined my table “checking” in the following structure.
type State: record {
checking: table[addr] of Queue::Queue;
finished_answers: set[count];
};
I also modified bro/base/protocol/dns/main.bro and add my logic inside of event dns request. I check the DNS query, if the query is reverse lookup query, I will process the following logic
if (c$id$orig_h !in c$dns_state$checking)
{
c$dns_state$checking[c$id$orig_h] = Queue::init();
}
if ( Queue::len(c$dns_state$checking[c$id$orig_h]) !=0)
{
local tmpString1 = Queue::peek(c$dns_state$checking[c$id$orig_h]);
local startIndex = 0;
checking the search pattern
if(|tmpString1|>|tmpString|)
{
startIndex = strstr(tmpString,tmpString1);
}
else
{
startIndex = strstr(tmpString1,tmpString);
}
}
Queue::put(c$dns_state$checking[c$id$orig_h], tmpString);
I have a problem in " if (c$id$orig_h !in c$dns_state$checking) ", I find for every new reverse lookup request , my code will initiated a new queue. and the IF condition( if (c$id$orig_h !in c$dns_state$checking)) hasn’t been applied for my code. because I have some packets from the same source address.
So, I am confusing, because I have used the source address as a index for the table, and for every income packet, I will check either I have the source address in the table or not.
If you have any ideas, could you please let me know? Many thanks for your time to read my Email.
Regards,
Steven