[Bro] Lying about DNS yields interesting bro entries

James Lay jlay at slave-tothe-box.net
Wed Feb 3 05:46:29 PST 2016

On Wed, 2016-02-03 at 11:28 +0100, Jan Grashöfer wrote:

> Hi,
> > I am actually seeing the issue you're getting now.  It's like the IP addresses were flipped but the ports weren't.  To be completely honest, I don't know what's causing that without seeing the actual traffic.  Could you send a packet that causes this behavior?
> I think you are talking past each other. If I am not mistaken, James is
> struggling with the originator/responder pattern of Bro. I guess he just
> forgot to swap ports in his made up log line.
> So the question would be: Why is the source IP logged as the responder's
> IP for the unmatched reply?
> That would be because source/destination is not equal to
> originator/responder. At first Bro assumes the source is the originator.
> But then Bro identifies the packet as a DNS response and therefore
> determines the source IP as the responder's IP. So orig/resp get flipped
> as Seth wrote:
> > Bro is also (correctly) flipping the connection around which you can see in the conn.log because the originator of the "connection" never sent any packets.
> Did I get this right, James, or are you really struggling with flipped
> ports?
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Thanks Jan...I think I finally explained it well enough that Seth is
able to look at it.  At the end of the day the question for me is when
an unsolicited dns response comes in from source port 53 to destination
port 420, why does bro show my machine as the originator of the traffic.
Guess I should have just said that in the first place 8-|

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160203/7c7429e6/attachment.html 

More information about the Bro mailing list