<div dir="ltr"><div dir="ltr">On Thu, Oct 3, 2019 at 8:38 AM Palumbo Mauro <<a href="mailto:mauro.palumbo@aizoon.it">mauro.palumbo@aizoon.it</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="IT">
<div class="gmail-m_-5402328215719621507WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi everybody,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> I am having an issue with the intel.log file, I am getting duplicated lines for the same dns request such as:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc cif.tags
cif.confidence cif.source cif.description cif.firstseen cif.lastseen<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">#types time string addr port addr port string enum enum string set[enum] set[string] string string string string double string string string string<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">1570105259.197420 CP1BZx1QgzdPpfEyda 172.17.0.186 43283 172.16.1.10 53 <a href="http://opencalphad.com" target="_blank">opencalphad.com</a> Intel::DOMAIN DNS::IN_REQUEST worker-1 Intel::DOMAIN 0 - - - - 85.0
- - - -<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">1570105259.197420 CP1BZx1QgzdPpfEyda 172.17.0.186 43283 172.16.1.10 53 <a href="http://opencalphad.com" target="_blank">opencalphad.com</a> Intel::DOMAIN DNS::IN_REQUEST worker-1 Intel::DOMAIN 0 - - - - 85.0
- - - -<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">1570105259.207335 CJZASAQTB2qgPSYw7 172.17.0.186 59553 172.16.1.10 53 <a href="http://opencalphad.com" target="_blank">opencalphad.com</a> Intel::DOMAIN DNS::IN_REQUEST worker-1 Intel::DOMAIN 0 - - - - 85.0
- - - -<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">1570105259.211927 CJZASAQTB2qgPSYw7 172.17.0.186 59553 172.16.1.10 53 <a href="http://opencalphad.com" target="_blank">opencalphad.com</a> Intel::DOMAIN DNS::IN_REQUEST worker-1 Intel::DOMAIN 0 - - - - 85.0
- - <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">As you can see, some lines are identical, same uid, same worker, same timestamp, etc...</span></p></div></div></blockquote><div><br>The usual case for this is that you are tapping the same traffic twice. If you look up the CP1BZx1QgzdPpfEyda connection in the conn.log and look at orig_pkts and resp_pkts you should see 1 and 1. If you see 2,2 or 2,1 then you are seeing duplicate packets.</div><div><br></div><div>justin@mbp:/tmp/b$ cat dns.log |bro-cut uid qtype_name query<br>Cu1Xq04w0nXaBiFiD A <a href="http://opencalphad.com">opencalphad.com</a><br>CJYuzY33KkZubxHXMc AAAA <a href="http://opencalphad.com">opencalphad.com</a><br>CdgXOb43ML2PJSv84a MX <a href="http://opencalphad.com">opencalphad.com</a><br>justin@mbp:/tmp/b$ cat conn.log |bro-cut uid orig_pkts resp_pkts |fgrep Cu1Xq04w0nXaBiFiD<br>Cu1Xq04w0nXaBiFiD 1 1<br></div><div><br></div><div><br></div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Justin</div></div></div>