Using Bro to detect DNS lookups in given timeframe

Does Bro have anything built-in for the following scenario:

· Detecting if a network device is looking up over 50 DNS entries in a 1 hour timeframe

Samson Hille

IT Security Analyst

There is nothing built in right now, but it would be pretty easy to write a script to do it. Here’s a quick one...

event bro_init()
  local r1 = SumStats::Reducer($stream="too_much_dns.recursive_requests", $apply=set(SumStats::SUM));
                    $threshold_val(key: SumStats::Key, result: SumStats::Result) =
                      return result["too_much_dns.recursive_requests"]$sum;
                    $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
                      local r = result["too_much_dns.recursive_requests"];
                      local dur = duration_to_mins_secs(r$end-r$begin);
                      local message = fmt("%s did at least %.0f recursive DNS requests in %s", key$host, r$sum, dur);
                      print message;

event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
  if ( msg$RD )
    SumStats::observe("too_much_dns.recursive_requests", [$host=c$id$orig_h], [$num=1]);