[Bro-Dev] [JIRA] (BIT-1064) DNS Analyzer does not correctly log NXDOMAIN answers
Seth Hall (JIRA)
jira at bro-tracker.atlassian.net
Thu Aug 22 09:44:31 PDT 2013
[ https://bro-tracker.atlassian.net/browse/BIT-1064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13709#comment-13709 ]
Seth Hall commented on BIT-1064:
It's fixed in 2.2 (git master). I think this was related to some bugs I fixed a while ago in the DNS base scripts. I'm closing the ticket because we aren't going to back port the fix to prior releases.
> DNS Analyzer does not correctly log NXDOMAIN answers
> Key: BIT-1064
> URL: https://bro-tracker.atlassian.net/browse/BIT-1064
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Environment: Bro 2.1 running on SecurityOnion 12.04-2
> Reporter: Pietro Delsante
> Labels: dns, nxdomain
> Fix For: 2.2
> Attachments: nxdomain.pcap, nxdomain_pcap.png
> Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.
> It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:
> that is, exploded:
> ts: 1377179281.104465
> uid: prGZzGRr1M4
> id: 192.168.X.Y|45406|184.108.40.206|53
> proto: udp
> trans_id: 64928
> query: www.this-domain-does-not-exist.it
> qclass: 1
> qclass_name: C_INTERNET
> qtype: 1
> qtype_name: A
> rcode: -
> rcode_name: -
> AA: F
> TC: F
> RD: T
> RA: F
> Z: 0
> answers: -
> TTLs: -
> The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:
> The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.
> The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.
> Should you need any more info about my setup, please let me know.
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the bro-dev