Has anyone had any luck getting this passive dns script to work? I can’t seem to get any of the data from Bro to get into the mysql server. Has anyone gotten this to work and have any tips or tricks to get it working?
I was using it with mysql, but performances was not so good.
Time ago I Wrote to Justin and he told me he was rewriting code: https://github.com/JustinAzoff/bro-pdns/tree/go-rewrite
Hi 
Yes.. the python version worked, but the performance when using remote databases was not that good. It was also really hard for people to install correctly.
Also, it turned out that using the log postprocessor to execute the tool during log rotation was really fragile.
I re-wrote it as a simpler tool that can just read existing bro log archives instead of needing to be ran from bro.
I implemented a sqlite and a postgresql backend, but haven't done mysql yet. It's fully functional, but it needs some polishing.
$ ./bro-pdns index big.log
2016/11/14 10:44:11 big.log: Aggregation: Duration=3.9 TotalRecords=1058400 SkippedRecords=0 Tuples=1496 Individual=1962
2016/11/14 10:44:11 batch: Store: Duration=0.1 Inserted=3458 Updated=0
$ ./bro-pdns index big.log
2016/11/14 10:55:35 big.log: Already indexed
$ ./bro-pdns like tuple google.com|head
Query Type Answer Count TTL First Last
clients3.google.com A 173.194.46.64 144 70 2014-03-14 14:31:06 2014-03-14 14:31:06
clients3.google.com A 173.194.46.65 144 70 2014-03-14 14:31:06 2014-03-14 14:31:06
clients3.google.com A 173.194.46.66 144 70 2014-03-14 14:31:06 2014-03-14 14:31:06
$ ./bro-pdns web --listen :8081&
[1] 7449
2016/11/14 10:51:59 Listening on ":8081"
$ curl -s localhost:8081/dns/like/tuples/173.194.46.64 | jq . | head
[
{
"Last": "2014-03-14 14:31:20",
"First": "2014-03-14 14:31:20",
"TTL": 300,
"Count": 288,
"Answer": "173.194.46.64",
"Type": "A",
"Query": "maps.google.nl"
},
Indexing all bro logs currently involves a find -name 'dns.*' | xargs -n 50 bro-pdns index