I've initiated a pull request for jlay's rep on github to include the ffluxDNS.bro script. This is an update of Seth Hall's original script to work in Bro 2.3. It is also attached. I replaced the custom log file with notices. More work needs to be done with it, but it is working in my environment.
Has anyone written a script to detect oversized DNS requests? If not, which event/hook would be the best method for checking for these? thanks
ffluxDNS.bro (4.06 KB)