Wednesday, January 8, 2014

Using Bro DNS Logging for Network Management

I was recently asked if someone in our desktop support group could get alerted when certain laptops connected to the corporate network. We have a lot of employees who work at industrial locations and rarely connect their machines to our internal networks, so the support group likes to take those rare opportunities to do management tasks that aren't otherwise automated.

The two mechanisms that came to mind for alerting on these events are DHCP address assignment, and DNS autoregistration. While we do send DHCP logs to a central archive, the process of alerting on a frequently changing list of hostnames would be somewhat cumbersome. I have been looking for ways to use Bro for network management tasks, so this seemed like a natural use case.

We already had Bro instances monitoring DNS traffic for two of our central DNS servers. I don't fully understand how Windows DNS autoregistration works, but from looking at the Bro logs, it appears that the DHCP server sends a DNS SOA query to the central DNS servers containing the hostname of the device to which it assigns a lease.

I wanted to learn how to use the input framework in Bro 2.2, so I wrote the following script and loaded it from local.bro:

https://gist.github.com/jayswan/8321141
type Idx: record {
hostname: string;
};
export {
redef enum Notice::Type += {
DNS_ENTRY::Tracked_Hostname
};
}
global hostnames: set[string];
event bro_init() {
Input::add_table([$source="/opt/bro/share/bro/site/hostnames.txt",$name="hostnames",$idx=Idx,$destination=hostnames]);
}
event dns_request(c:connection, msg:dns_msg, query:string, qtype:count, qclass:count) {
if (qtype == 6) {
if (query in hostnames) {
when ( local hn = lookup_hostname(query)) {
NOTICE([$note=DNS_ENTRY::Tracked_Hostname,
$conn=c,
$msg=fmt("saw tracked hostname %s at %s",query,hn)]);
}
}
}
}
event bro_done() {
Input::remove("hostnames");
}
view raw hn.bro hosted with ❤ by GitHub

This raises a Bro notice whenever one of the hostnames in the hostnames.txt file is seen in a DNS SOA query. I then set up local.bro and broctl to email this notice type to the correct person.

This works for now, but I'd love to hear from any more experienced Bro programmers about better ways to do it.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)