[Bro-Dev] [JIRA] (BIT-1153) DNS inconsistency

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Mon Mar 10 09:40:18 PDT 2014


     [ https://bro-tracker.atlassian.net/browse/BIT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jon Siwek updated BIT-1153:
---------------------------

    Status: Merge Request  (was: Open)

> DNS inconsistency
> -----------------
>
>                 Key: BIT-1153
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1153
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: Robin Sommer
>             Fix For: 2.3
>
>
> Something's not deterministic in the DNS analyzer, this is with a small trace of just 6 empty DNS replies with different transaction IDs::
> {code}
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # cat log
> #separator \x09
> #set_separator	,
> #empty_field	(empty)
> #unset_field	-
> #path	dns
> #open	2014-03-09-21-36-40
> #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
> #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
> 1359400918.103013	C3UnB71Lb5jHQuxYi9	10.69.49.58	41664	10.32.136.13	53	udp	50261	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.102517	C3UnB71Lb5jHQuxYi9	10.69.49.58	41664	10.32.136.13	53	udp	14740	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.103641	C3UnB71Lb5jHQuxYi9	10.69.49.58	41664	10.32.136.13	53	udp	22908	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.102812	C3UnB71Lb5jHQuxYi9	10.69.49.58	41664	10.32.136.13	53	udp	58133	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> #close	2014-03-09-21-36-40
> #separator \x09
> #set_separator	,
> #empty_field	(empty)
> #unset_field	-
> #path	dns
> #open	2014-03-09-21-36-42
> #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
> #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
> 1359400918.102812	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	58133	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.104054	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	45557	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.103013	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	50261	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.102517	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	14740	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.103390	CF4yYh4S0wIWnHYKka	10.69.49.58	41664	10.32.136.13	53	udp	31341	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> #close	2014-03-09-21-36-42
> #separator \x09
> #set_separator	,
> #empty_field	(empty)
> #unset_field	-
> #path	dns
> #open	2014-03-09-21-36-43
> #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
> #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
> 1359400918.103641	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	22908	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.103390	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	31341	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.103013	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	50261	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.102517	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	14740	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.102812	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	58133	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> 1359400918.104054	CrJZTqkaJJe3L4VUk	10.69.49.58	41664	10.32.136.13	53	udp	45557	-	-	-	-	-	3	NXDOMAIN	F	F	F	F	0	-	-	F
> #close	2014-03-09-21-36-43
> {code}
> I'll provide the trace on request, don't want to attach it here.
>  



--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)


More information about the bro-dev mailing list