[Bro-Dev] [JIRA] (BIT-1064) DNS Analyzer does not correctly log NXDOMAIN answers
Pietro Delsante (JIRA)
jira at bro-tracker.atlassian.net
Thu Aug 22 08:08:31 PDT 2013
Pietro Delsante created BIT-1064:
------------------------------------
Summary: DNS Analyzer does not correctly log NXDOMAIN answers
Key: BIT-1064
URL: https://bro-tracker.atlassian.net/browse/BIT-1064
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: 2.1
Environment: Bro 2.1 running on SecurityOnion 12.04-2
Reporter: Pietro Delsante
Attachments: nxdomain_pcap.png
Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.
It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:
{noformat}
1377179281.104465|prGZzGRr1M4|192.168.X.Y|45406|8.8.8.8|53|udp|64928|www.this-domain-does-not-exist.it|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
{noformat}
that is, exploded:
{noformat}
ts: 1377179281.104465
uid: prGZzGRr1M4
id: 192.168.X.Y|45406|8.8.8.8|53
proto: udp
trans_id: 64928
query: www.this-domain-does-not-exist.it
qclass: 1
qclass_name: C_INTERNET
qtype: 1
qtype_name: A
rcode: -
rcode_name: -
AA: F
TC: F
RD: T
RA: F
Z: 0
answers: -
TTLs: -
{noformat}
The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:
{noformat}
1377079094.159646|XRRCSUItHlj|192.168.X.Y|39362|8.8.8.8|53|udp|54306|1.0.168.192.in-addr.arpa|1|C_INTERNET|12|PTR|3|NXDOMAIN|F|F|T|F|0|-|-
{noformat}
The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.
The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.
Should you need any more info about my setup, please let me know.
Thanks,
Pietro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the bro-dev
mailing list