Using Bro to detect DNS lookups in given timeframe

Hille_Samson · March 18, 2015, 4:28pm

Does Bro have anything built-in for the following scenario:

· Detecting if a network device is looking up over 50 DNS entries in a 1 hour timeframe

Samson Hille

IT Security Analyst

Seth_Hall3 · March 18, 2015, 4:57pm

There is nothing built in right now, but it would be pretty easy to write a script to do it. Here’s a quick one...

event bro_init()
  {
  local r1 = SumStats::Reducer($stream="too_much_dns.recursive_requests", $apply=set(SumStats::SUM));
  SumStats::create([$name="too_much_dns",
                    $epoch=1hr,
                    $reducers=set(r1),
                    $threshold_val(key: SumStats::Key, result: SumStats::Result) =
                      {
                      return result["too_much_dns.recursive_requests"]$sum;
                      },
                    $threshold=5.0,
                    $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
                      {
                      local r = result["too_much_dns.recursive_requests"];
                      local dur = duration_to_mins_secs(r$end-r$begin);
                      local message = fmt("%s did at least %.0f recursive DNS requests in %s", key$host, r$sum, dur);
                      print message;
                      }]);
  }

event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
  {
  if ( msg$RD )
    SumStats::observe("too_much_dns.recursive_requests", [$host=c$id$orig_h], [$num=1]);
  }

Topic		Replies	Views
Using Bro to detect DNS lookups in given timeframe Zeek	1	45	May 6, 2022
Bad DNS Detection Zeek	5	95	May 6, 2022
Run Bro with inspecting specific protocol only Zeek	1	60	May 6, 2022
SYN Flood detection Zeek	1	274	May 6, 2022
new to bro, a few questions Zeek	2	65	May 6, 2022

Using Bro to detect DNS lookups in given timeframe

Related Topics