[Bro-Dev] [JIRA] (BIT-755) Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS responses

grigorescu (JIRA) jira at bro-tracker.atlassian.net
Fri Mar 20 11:07:00 PDT 2015 

     [ https://bro-tracker.atlassian.net/browse/BIT-755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

grigorescu updated BIT-755:
---------------------------
    Resolution: Fixed
        Status: Closed  (was: Open)

Seth managed to dig up the trace, and I ran master against it. At some point, this was fixed.

> Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS responses
> -------------------------------------------------------------------------------
>
>                 Key: BIT-755
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-755
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Matthias Vallentin
>             Fix For: 2.4
>
>
> As part of the trace testing for 2.0, I found an issue with NetBIOS DNS traffic. (To reproduce, run Bro on slice 10 trace 6.) The issue is that aach NetBIOS DNS response elicits a {{DNS_truncated_ans_too_short}} notice. Presumably this occurs because the DNS analyzer is not aware when it analyzes NetBIOS traffic and always uses default DNS settings.
> Here is an excerpt of {{weird.log}}:
> {noformat}
> #separator \x09
> #path   weird
> #fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       name    addl    notice  peer
> #types  time    string  addr    port    addr    port    string  string  bool    string
> 1258595204.973641       zXeo86cfbm7     192.168.1.1     137     192.168.1.103   137     DNS_label_len_gt_pkt    -       F       bro
> 1258595204.973641       zXeo86cfbm7     192.168.1.1     137     192.168.1.103   137     DNS_truncated_ans_too_short     -       F       bro
> 1258595929.455451       z4HTnleZ5K7     192.168.1.1     137     192.168.1.103   137     DNS_truncated_ans_too_short     -       F       bro
> 1258596653.936597       JabVxb51nSh     192.168.1.1     137     192.168.1.103   137     DNS_truncated_ans_too_short     -       F       bro
> 1258597378.402488       wP49IojzMDi     192.168.1.1     137     192.168.1.103   137     DNS_truncated_ans_too_short     -       F       bro
> 1258598102.868114       yFYuqEzJF87     192.168.1.1     137     192.168.1.103   137     DNS_truncated_ans_too_short     -       F       bro
> [..]
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

More information about the bro-dev mailing list