[Bro] Dns Analyzer Update RR length pb without binpac
rmkml
rmkml at free.fr
Tue Oct 21 21:55:06 PDT 2008
Hi,
Congratulation for this new version and very interesting project !
During my testing, Im found this event:
weird.log:1224565229.149226 10.100.11.225/61643 > 141.202.248.31/dns: DNS_RR_length_mismatch
weird.log:1224565229.149226 10.100.11.225/61643 > 141.202.248.31/dns: DNS_truncated_RR_rdlength_lt_len
Start bro with:
bro140ipv6 -r bro140_dns_rr_length_two_problems.pcap dns
Bro print scripts:
bro140ipv6 -r bro140_dns_rr_length_two_problems.pcap dns -l
-> policy/bro.init
-> policy/const.bif.bro
-> policy/strings.bif.bro
-> policy/bro.bif.bro
-> policy/event.bif.bro
-> policy/common-rw.bif.bro
-> policy/finger-rw.bif.bro
-> policy/ftp-rw.bif.bro
-> policy/ident-rw.bif.bro
-> policy/smtp-rw.bif.bro
-> policy/http-rw.bif.bro
-> policy/dns-rw.bif.bro
-> policy/pcap.bro
-> policy/server-ports.bro
-> policy/dns.bro
-> policy/notice.bro
-> policy/drop.bro
-> policy/notice-action-filters.bro
-> policy/site.bro
-> policy/terminate-connection.bro
-> policy/weird.bro
-> policy/port-name.bro
-> policy/udp-common.bro
-> policy/hot.bro
-> policy/conn.bro
-> policy/netstats.bro
-> policy/conn-id.bro
-> policy/scan.bro
-> policy/trw-impl.bro
-> policy/dns-info.bro
and dns.log file contains:
1224565229.149226 #1 10.100.11.225/61643 > 141.202.248.31/dns start
1224565229.149226 #1 10.100.11.225 <query ?SOA> security.com Trunc:F Recurs:F
1224565229.149226 #1 10.100.11.225 SOA security.com <query addl = 2/0/0> = <ans CNAME> CNAME hp.security.com RCode:NOERROR AA=F TR=F 1/2/0/0 TTL=0
1224565229.293102 #1 finish
If I start bro with binpac, I have NO "error" in weird.log file:
bro140ipv6 --use-binpac -r bro140_dns_rr_length_two_problems.pcap dns
and dns.log file contains:
1224565229.149226 #1 10.100.11.225/61643 > 141.202.248.31/dns start
1224565229.149226 #1 10.100.11.225 <query ?SOA> security.com Trunc:F Recurs:F
1224565229.149226 #1 10.100.11.225 SOA security.com <query addl = 2/0/0> = <ans CNAME> CNAME RCode:NOERROR AA=F TR=F 1/2/0/0 TTL=0
1224565229.149226 #1 10.100.11.225 <ans A> 10.100.11.225 RCode:NOERROR AA=F TR=F 1/2/0/0 TTL=0
1224565229.293102 #1 finish
Joigned pcap file.
Regards
Rmkml
Crusoe-Researches.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bro140_dns_rr_length_two_problems.pcap.gz
Type: application/octet-stream
Size: 223 bytes
Desc:
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081022/eb68ba16/attachment.obj
More information about the Bro
mailing list