[Bro-Dev] [JIRA] (BIT-1064) DNS Analyzer does not correctly log NXDOMAIN answers
Pietro Delsante (JIRA)
jira at bro-tracker.atlassian.net
Thu Aug 22 08:46:31 PDT 2013
[ https://bro-tracker.atlassian.net/browse/BIT-1064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pietro Delsante updated BIT-1064:
---------------------------------
Attachment: nxdomain.pcap
PCAP file containing a request and response of a nonexistent domain, the server is answering with RCODE=3 (NXDOMAIN).
This happens both with my internal DNS server and with Google's 8.8.8.8.
> DNS Analyzer does not correctly log NXDOMAIN answers
> ----------------------------------------------------
>
> Key: BIT-1064
> URL: https://bro-tracker.atlassian.net/browse/BIT-1064
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Environment: Bro 2.1 running on SecurityOnion 12.04-2
> Reporter: Pietro Delsante
> Labels: dns, nxdomain
> Attachments: nxdomain.pcap, nxdomain_pcap.png
>
>
> Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.
> It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:
> {noformat}
> 1377179281.104465|prGZzGRr1M4|192.168.X.Y|45406|8.8.8.8|53|udp|64928|www.this-domain-does-not-exist.it|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> {noformat}
> that is, exploded:
> {noformat}
> ts: 1377179281.104465
> uid: prGZzGRr1M4
> id: 192.168.X.Y|45406|8.8.8.8|53
> proto: udp
> trans_id: 64928
> query: www.this-domain-does-not-exist.it
> qclass: 1
> qclass_name: C_INTERNET
> qtype: 1
> qtype_name: A
> rcode: -
> rcode_name: -
> AA: F
> TC: F
> RD: T
> RA: F
> Z: 0
> answers: -
> TTLs: -
> {noformat}
> The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:
> {noformat}
> 1377079094.159646|XRRCSUItHlj|192.168.X.Y|39362|8.8.8.8|53|udp|54306|1.0.168.192.in-addr.arpa|1|C_INTERNET|12|PTR|3|NXDOMAIN|F|F|T|F|0|-|-
> {noformat}
> The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.
> The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.
> Should you need any more info about my setup, please let me know.
> Thanks,
> Pietro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the bro-dev
mailing list