[Bro-Dev] #755: Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS responses
Bro Tracker
bro at tracker.bro-ids.org
Wed Jan 18 16:08:39 PST 2012
#755: Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS
responses
----------------------+------------------------
Reporter: matthias | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro2.1
Component: Bro | Version: git/master
Keywords: |
----------------------+------------------------
As part of the trace testing for 2.0, I found an issue with NetBIOS DNS
traffic. (To reproduce, run Bro on slice 10 trace 6.) The issue is that
aach NetBIOS DNS response elicits a `DNS_truncated_ans_too_short` notice.
Presumably this occurs because the DNS analyzer is not aware when it
analyzes NetBIOS traffic and always uses default DNS settings.
Here is an excerpt of `weird.log`:
{{{
#separator \x09
#path weird
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p name addl notice peer
#types time string addr port addr port string string
bool string
1258595204.973641 zXeo86cfbm7 192.168.1.1 137
192.168.1.103 137 DNS_label_len_gt_pkt - F bro
1258595204.973641 zXeo86cfbm7 192.168.1.1 137
192.168.1.103 137 DNS_truncated_ans_too_short - F
bro
1258595929.455451 z4HTnleZ5K7 192.168.1.1 137
192.168.1.103 137 DNS_truncated_ans_too_short - F
bro
1258596653.936597 JabVxb51nSh 192.168.1.1 137
192.168.1.103 137 DNS_truncated_ans_too_short - F
bro
1258597378.402488 wP49IojzMDi 192.168.1.1 137
192.168.1.103 137 DNS_truncated_ans_too_short - F
bro
1258598102.868114 yFYuqEzJF87 192.168.1.1 137
192.168.1.103 137 DNS_truncated_ans_too_short - F
bro
[..]
}}}
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/755>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list