[Bro] Lying about DNS yields interesting bro entries

Seth Hall seth at icir.org
Tue Feb 2 20:59:40 PST 2016

> On Feb 2, 2016, at 8:50 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 2016-02-01T08:48:12-0700    420     x.x.x.x  53      dns_unmatched_reply     -       F       bro
> Not trying to beat a dead horse here...just trying to understand how Bro is treating a DNS response that it never saw requested.  Thanks all.

Hah, not a problem.  A lot of this stuff has so many edge cases and fairly arbitrary decisions on how to handle various situations deep down in scripts.

I am actually seeing the issue you're getting now.  It's like the IP addresses were flipped but the ports weren't.  To be completely honest, I don't know what's causing that without seeing the actual traffic.  Could you send a packet that causes this behavior?


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list