Next: , Previous: demuxbro, Up: Predefined Variables



6.1.9 dns.bro

actually_rejected_PTR_anno : set[string]
Annotations that if returned for a PTR lookup actually indicate a rejected query; for example, "illegal-address.lbl.gov".
Note: This variable is const, so may only be changed via redef.

sensitive_lookup_hosts : set[addr]

Hosts in this set generate an alert when they are returned in PTR queries, unless the originating host is in sensitive_lookup_hosts.
Note: This variable is const, so may only be changed via redef.

okay_to_lookup_sensitive_hosts : set[addr]

If the DNS request originator is in this set, then it is allowed to look up “sensitive” hosts (see also sensitive_lookup_hosts) without causing an alert.

dns_log : file

The file into which DNS-related alerts are written.

dns_sessions : table[addr, addr] of dns_session_info

A table of outstanding DNS sessions indexed by [client IP, server IP]. Fixme: Need to illustrate dns_sessions_info.

num_dns_sessions : count

The total number of entries that have ever been in the table.

distinct_PTR_requests : table[addr, string] of count

The number of DNS PTR requests obseverd with the given source address and request string.

distinct_rejected_PTR_requests : table[addr] of count

How many DNS PTR requests from the given source address were rejected. A report is generated if this number crosses a threshold, namely, report_rejected_PTR_thresh.

distinct_answered_PTR_requests : table[addr] of count

How many DNS PTR requests from the given source address were rejected.

report_rejected_PTR_thresh : count

If this many DNS requests from a host are rejected, generate a possible PTR scan event.

report_rejected_PTR_factor : double

If DNS requests from a host are rejected more than accepted by this factor, generate a event.

allow_PTR_scans set[addr]

The set of hosts for which a PTR_scan event does not generate a report (that is, the scan is allowed).

did_PTR_scan_event table[addr] of count

A table of hosts for which a event has been generated.