From 17d03c993648dc007827e158c3d5803d41e53366 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 25 Oct 2011 16:20:29 -0400
Subject: [PATCH] Fix a problem with DNS servers being logged that aren't
 actually servers.

---
 scripts/policy/protocols/conn/known-services.bro | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro
index 557fe35fb2..9d58f3a9fb 100644
--- a/scripts/policy/protocols/conn/known-services.bro
+++ b/scripts/policy/protocols/conn/known-services.bro
@@ -62,14 +62,15 @@ function known_services_done(c: connection)
 	c$known_services_done = T;
 	
 	if ( ! addr_matches_host(id$resp_h, service_tracking) ||
-	     "ftp-data" in c$service ) # don't include ftp data sessions
+	     "ftp-data" in c$service || # don't include ftp data sessions
+	     ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
 		return;
 	
 	# If no protocol was detected, wait a short
 	# time before attempting to log in case a protocol is detected
 	# on another connection.
 	if ( |c$service| == 0 )
-		schedule 2mins { log_it(network_time(), id$resp_h, id$resp_p, c$service) };
+		schedule 5min { log_it(network_time(), id$resp_h, id$resp_p, c$service) };
 	else 
 		event log_it(network_time(), id$resp_h, id$resp_p, c$service);
 	}