[Bro] Lying about DNS yields interesting bro entries

Jan Grashöfer jan.grashoefer at gmail.com
Wed Feb 3 02:28:55 PST 2016


> I am actually seeing the issue you're getting now.  It's like the IP addresses were flipped but the ports weren't.  To be completely honest, I don't know what's causing that without seeing the actual traffic.  Could you send a packet that causes this behavior?

I think you are talking past each other. If I am not mistaken, James is
struggling with the originator/responder pattern of Bro. I guess he just
forgot to swap ports in his made up log line.

So the question would be: Why is the source IP logged as the responder's
IP for the unmatched reply?

That would be because source/destination is not equal to
originator/responder. At first Bro assumes the source is the originator.
But then Bro identifies the packet as a DNS response and therefore
determines the source IP as the responder's IP. So orig/resp get flipped
as Seth wrote:

> Bro is also (correctly) flipping the connection around which you can see in the conn.log because the originator of the "connection" never sent any packets.

Did I get this right, James, or are you really struggling with flipped


More information about the Bro mailing list