I would like to be able to write nothing but
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count,
qclass: count) {
print fmt("dns: %s", query);
}
in my policy script, and get a print out for every DNS request... but
this dns_request handler does not get called unless I add
@load dns
at the top.
I don't really want all the other stuff that comes with the dns.bro
script. Is there any way around this?
Thanks,
Mike
Most likely you haven't set the capture filter to include DNS
packets into the analysis. Try adding this to your script (which is
from dns.bro):
redef capture_filters += {
["dns"] = "port 53",
["netbios-ns"] = "udp port 137",
};
Robin
I gave that a shot, but still didn't see any output.
I did have success by adding the following:
global dns_ports = { 53/udp, 53/tcp, 137/udp };
redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
(also from dns.bro), and that triggered my event handler for dns_request.
Note this seemed to work with and without redefining the capture filters.
Any ideas why this is the case? Particularly, am I only going to be
able implement my custom event handlers for analyzers that are part of
the DPD framework?
Many thanks,
Mike
I did have success by adding the following:
global dns_ports = { 53/udp, 53/tcp, 137/udp };
redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };(also from dns.bro), and that triggered my event handler for dns_request.
Note this seemed to work with and without redefining the capture filters.Any ideas why this is the case?
Afaik, this is exactly the way to enable a DPD-enabled analyzer.
http://www.bro-ids.org/wiki/index.php/DynamicProtocolDetection#Using_the_new_analyzer_framework
Likely, your capture filter is already set up to capture the relevant
packets anyway, so needs no special tweaking. (One of the best tips ever
regarding this stuff is to test the resulting filter by adding
"print-filter" at the end of your list of policy files specified at the
command line.)
Particularly, am I only going to be
able implement my custom event handlers for analyzers that are part of
the DPD framework?
No, you can generally expect to use your own event handlers for the
other analyzers as well, unless these were somehow designed to require
substantial policy code.
Cheers,
Christian
Ah, sorry, I forgot that. Actually you need both, the right packet
filter and the dpd_config. As Christian noted, your packet filter
might already be right if you're not loading any other scripts
(because then Bro uses the default filter "tcp or udp or icmp").
Robin