[Bro-Dev] [JIRA] (BIT-1064) DNS Analyzer does not correctly log NXDOMAIN answers

Seth Hall (JIRA) jira at bro-tracker.atlassian.net
Thu Aug 22 09:44:31 PDT 2013

    [ https://bro-tracker.atlassian.net/browse/BIT-1064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13709#comment-13709 ] 

Seth Hall commented on BIT-1064:

It's fixed in 2.2 (git master).  I think this was related to some bugs I fixed a while ago in the DNS base scripts.  I'm closing the ticket because we aren't going to back port the fix to prior releases.
> DNS Analyzer does not correctly log NXDOMAIN answers
> ----------------------------------------------------
>                 Key: BIT-1064
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1064
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.1
>         Environment: Bro 2.1 running on SecurityOnion 12.04-2
>            Reporter: Pietro Delsante
>              Labels: dns, nxdomain
>             Fix For: 2.2
>         Attachments: nxdomain.pcap, nxdomain_pcap.png
> Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.
> It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:
> {noformat}
> 1377179281.104465|prGZzGRr1M4|192.168.X.Y|45406||53|udp|64928|www.this-domain-does-not-exist.it|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> {noformat}
> that is, exploded:
> {noformat}
> ts:             1377179281.104465
> uid:            prGZzGRr1M4
> id:             192.168.X.Y|45406||53
> proto:          udp
> trans_id:       64928
> query:          www.this-domain-does-not-exist.it
> qclass:         1
> qclass_name:    C_INTERNET
> qtype:          1
> qtype_name:     A
> rcode:          -
> rcode_name:     -
> AA:             F
> TC:             F
> RD:             T
> RA:             F
> Z:              0
> answers:        -
> TTLs:           -
> {noformat}
> The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:
> {noformat}
> 1377079094.159646|XRRCSUItHlj|192.168.X.Y|39362||53|udp|54306||1|C_INTERNET|12|PTR|3|NXDOMAIN|F|F|T|F|0|-|-
> {noformat}
> The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.
> The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.
> Should you need any more info about my setup, please let me know.
> Thanks,
> Pietro

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the bro-dev mailing list