[Bro] Lying about DNS yields interesting bro entries
seth at icir.org
Tue Feb 2 08:20:02 PST 2016
> On Feb 1, 2016, at 6:31 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> I guess my question is, is this desired behavior? I see the
> dns_unmatched_reply, but it seems the first two entries never
> happened...so should they be there? Thanks...more of a curious question
> more than anything else.
Which two entries are you referring to? This looks correct to me. It looks like you saw a stray DNS response message, but there was no query.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro