[Bro-Dev] [JIRA] (BIT-1153) DNS inconsistency
Jon Siwek (JIRA)
jira at bro-tracker.atlassian.net
Mon Mar 10 09:40:18 PDT 2014
[ https://bro-tracker.atlassian.net/browse/BIT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15719#comment-15719 ]
Jon Siwek commented on BIT-1153:
--------------------------------
topic/jsiwek/bit-1153 in bro, bro-testing, bro-testing-private
> DNS inconsistency
> -----------------
>
> Key: BIT-1153
> URL: https://bro-tracker.atlassian.net/browse/BIT-1153
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Reporter: Robin Sommer
> Fix For: 2.3
>
>
> Something's not deterministic in the DNS analyzer, this is with a small trace of just 6 empty DNS replies with different transaction IDs::
> {code}
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # cat log
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path dns
> #open 2014-03-09-21-36-40
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
> #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
> 1359400918.103013 C3UnB71Lb5jHQuxYi9 10.69.49.58 41664 10.32.136.13 53 udp 50261 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.102517 C3UnB71Lb5jHQuxYi9 10.69.49.58 41664 10.32.136.13 53 udp 14740 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.103641 C3UnB71Lb5jHQuxYi9 10.69.49.58 41664 10.32.136.13 53 udp 22908 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.102812 C3UnB71Lb5jHQuxYi9 10.69.49.58 41664 10.32.136.13 53 udp 58133 - - - - - 3 NXDOMAIN F F F F 0 - - F
> #close 2014-03-09-21-36-40
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path dns
> #open 2014-03-09-21-36-42
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
> #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
> 1359400918.102812 CF4yYh4S0wIWnHYKka 10.69.49.58 41664 10.32.136.13 53 udp 58133 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.104054 CF4yYh4S0wIWnHYKka 10.69.49.58 41664 10.32.136.13 53 udp 45557 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.103013 CF4yYh4S0wIWnHYKka 10.69.49.58 41664 10.32.136.13 53 udp 50261 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.102517 CF4yYh4S0wIWnHYKka 10.69.49.58 41664 10.32.136.13 53 udp 14740 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.103390 CF4yYh4S0wIWnHYKka 10.69.49.58 41664 10.32.136.13 53 udp 31341 - - - - - 3 NXDOMAIN F F F F 0 - - F
> #close 2014-03-09-21-36-42
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path dns
> #open 2014-03-09-21-36-43
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
> #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
> 1359400918.103641 CrJZTqkaJJe3L4VUk 10.69.49.58 41664 10.32.136.13 53 udp 22908 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.103390 CrJZTqkaJJe3L4VUk 10.69.49.58 41664 10.32.136.13 53 udp 31341 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.103013 CrJZTqkaJJe3L4VUk 10.69.49.58 41664 10.32.136.13 53 udp 50261 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.102517 CrJZTqkaJJe3L4VUk 10.69.49.58 41664 10.32.136.13 53 udp 14740 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.102812 CrJZTqkaJJe3L4VUk 10.69.49.58 41664 10.32.136.13 53 udp 58133 - - - - - 3 NXDOMAIN F F F F 0 - - F
> 1359400918.104054 CrJZTqkaJJe3L4VUk 10.69.49.58 41664 10.32.136.13 53 udp 45557 - - - - - 3 NXDOMAIN F F F F 0 - - F
> #close 2014-03-09-21-36-43
> {code}
> I'll provide the trace on request, don't want to attach it here.
>
--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)
More information about the bro-dev
mailing list