[Bro-Dev] [JIRA] (BIT-1153) DNS inconsistency

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Mon Mar 10 08:01:18 PDT 2014


Robin Sommer created BIT-1153:
---------------------------------

             Summary: DNS inconsistency
                 Key: BIT-1153
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1153
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
            Reporter: Robin Sommer
             Fix For: 2.3


Something's not deterministic in the DNS analyzer, this is with a small trace of just 6 empty DNS replies with different transaction IDs::

{code}
# ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
# ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
# ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
# cat log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	dns
#open	2014-03-09-21-36-40
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
1359400918.103013	C3UnB71Lb5jHQuxYi9	10.69.49.58	41664	10.32.136.13	53	udp	50261	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.102517	C3UnB71Lb5jHQuxYi9	10.69.49.58	41664	10.32.136.13	53	udp	14740	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.103641	C3UnB71Lb5jHQuxYi9	10.69.49.58	41664	10.32.136.13	53	udp	22908	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.102812	C3UnB71Lb5jHQuxYi9	10.69.49.58	41664	10.32.136.13	53	udp	58133	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
#close	2014-03-09-21-36-40
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	dns
#open	2014-03-09-21-36-42
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
1359400918.102812	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	58133	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.104054	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	45557	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.103013	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	50261	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.102517	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	14740	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.103390	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	31341	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
#close	2014-03-09-21-36-42
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	dns
#open	2014-03-09-21-36-43
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
1359400918.103641	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	22908	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.103390	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	31341	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.103013	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	50261	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.102517	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	14740	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.102812	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	58133	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
1359400918.104054	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	45557	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
#close	2014-03-09-21-36-43
{code}

I'll provide the trace on request, don't want to attach it here.

 



--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)


More information about the bro-dev mailing list