[dns-operations] dnstop 'refused' filter
Seth Hall
hall.692 at osu.edu
Fri Jan 30 17:51:54 UTC 2009
On Jan 30, 2009, at 7:06 AM, Marco Davids wrote:
> I'd be very interested in a filter that will trigger on NXDOMAIN
> responses for MX queries.
If you're interested in getting your feet wet with a different tool,
here's a short script for the Bro intrusion detection system (http://www.bro-ids.org
) that accomplishes this.
@load dns
event dns_query_reply(c: connection, msg: dns_msg, query: string,
qtype: count, qclass: count)
{
if ( query_types[qtype] == "MX" &&
base_error[msg$rcode] == "NXDOMAIN" )
{
print fmt("MX query with NXDOMAIN reply: %s %s", id_string(c$id),
query);
}
}
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the dns-operations
mailing list