[Bro-Dev] [JIRA] (BIT-79) DNS analyzer does not generate events on most NXDOMAIN
Robin Sommer (JIRA)
jira at bro-tracker.atlassian.net
Tue Feb 11 15:45:37 PST 2014
[ https://bro-tracker.atlassian.net/browse/BIT-79?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robin Sommer reassigned BIT-79:
-------------------------------
Assignee: (was: Robin Sommer)
> DNS analyzer does not generate events on most NXDOMAIN
> ------------------------------------------------------
>
> Key: BIT-79
> URL: https://bro-tracker.atlassian.net/browse/BIT-79
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 1.5.2
> Reporter: gregor
>
> With default settings the "old" DNS-Analyzer doesn't generate events on (most) NXDOMAINs because: most NXDOMAIN replies have additional (or authority) sections, dns_skip_all* is T by default, the dns_rejected event is only generated when all sections have zero count ==> no dns_rejeced event (because there's an additional) but the additional is not printed ==> no event is generated for this DNS reply.
> Maybe solution:
> a) generate a dns_rejected whenever RCode \!= 0 or
> b) generate a dns_rejected when RCode\!=0 && ancount==0
> What do you think is the best semantic?
> FYI: here's the code snippet from DNS.cc
> {noformat}
> else if ( msg->QR == 1 &&
> msg->ancount == 0 && msg->nscount == 0 && msg->arcount == 0 )
> // Service rejected in some fashion, and it won't be reported
> // via a returned RR because there aren't any.
> dns_event = dns_rejected;
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)
More information about the bro-dev
mailing list