[Bro-Dev] [JIRA] (BIT-1064) DNS Analyzer does not correctly log NXDOMAIN answers
Pietro Delsante (JIRA)
jira at bro-tracker.atlassian.net
Thu Aug 22 09:06:31 PDT 2013
[ https://bro-tracker.atlassian.net/browse/BIT-1064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13708#comment-13708 ]
Pietro Delsante commented on BIT-1064:
--------------------------------------
By the way, the logs I pasted above are extracted from ELSA; however, things don't change if I read bro's logs directly:
{noformat}
root at myhost:/nsm/bro/logs# for f in $(find . -type f -name "dns.*"); do zcat $f | grep "www.this-domain-does-not-exist.it"; done
1377179281.104465 prGZzGRr1M4 192.168.X.Y 45406 8.8.8.8 53 udp 64928 www.this-domain-does-not-exist.it 1 C_INTERNET 1 A - - F F T F 0- -
1377179281.146009 Xd0O3YLn3ch 192.168.X.Y 44310 8.8.8.8 53 udp 52665 www.this-domain-does-not-exist.it.XXX.dom 1 C_INTERNET 1 A - - F F T F0 - -
{noformat}
> DNS Analyzer does not correctly log NXDOMAIN answers
> ----------------------------------------------------
>
> Key: BIT-1064
> URL: https://bro-tracker.atlassian.net/browse/BIT-1064
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Environment: Bro 2.1 running on SecurityOnion 12.04-2
> Reporter: Pietro Delsante
> Labels: dns, nxdomain
> Attachments: nxdomain.pcap, nxdomain_pcap.png
>
>
> Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.
> It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:
> {noformat}
> 1377179281.104465|prGZzGRr1M4|192.168.X.Y|45406|8.8.8.8|53|udp|64928|www.this-domain-does-not-exist.it|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> {noformat}
> that is, exploded:
> {noformat}
> ts: 1377179281.104465
> uid: prGZzGRr1M4
> id: 192.168.X.Y|45406|8.8.8.8|53
> proto: udp
> trans_id: 64928
> query: www.this-domain-does-not-exist.it
> qclass: 1
> qclass_name: C_INTERNET
> qtype: 1
> qtype_name: A
> rcode: -
> rcode_name: -
> AA: F
> TC: F
> RD: T
> RA: F
> Z: 0
> answers: -
> TTLs: -
> {noformat}
> The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:
> {noformat}
> 1377079094.159646|XRRCSUItHlj|192.168.X.Y|39362|8.8.8.8|53|udp|54306|1.0.168.192.in-addr.arpa|1|C_INTERNET|12|PTR|3|NXDOMAIN|F|F|T|F|0|-|-
> {noformat}
> The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.
> The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.
> Should you need any more info about my setup, please let me know.
> Thanks,
> Pietro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the bro-dev
mailing list