[Bro-Dev] [JIRA] (BIT-1064) DNS Analyzer does not correctly log NXDOMAIN answers
Pietro Delsante (JIRA)
jira at bro-tracker.atlassian.net
Thu Aug 22 08:08:31 PDT 2013
Pietro Delsante created BIT-1064:
Summary: DNS Analyzer does not correctly log NXDOMAIN answers
Project: Bro Issue Tracker
Issue Type: Problem
Affects Versions: 2.1
Environment: Bro 2.1 running on SecurityOnion 12.04-2
Reporter: Pietro Delsante
Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.
It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:
that is, exploded:
The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:
The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.
The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.
Should you need any more info about my setup, please let me know.
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the bro-dev