[Bro] Lying about DNS yields interesting bro entries
James Lay
jlay at slave-tothe-box.net
Mon Feb 1 15:31:39 PST 2016
Curious. I'll show the data first:
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53 udp
dns - - - SHR T F0 d 0
0 1 73 (empty)
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53 udp
21365 - - - - - 2SERVFAIL F
F F F 0 - - T
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
dns_unmatched_reply - F bro
Packet capture listening to udp port 420 (no other match for
65.113.230.90):
2016-02-01 08:48:12.311086633 65.113.230.90 -> x.x.x.x DNS 89 Standard
query response 0x5375 Server failure A otqxwnenalwb.www.1818my[.]com <
[] added by me
Syslog:
Feb 1 08:48:12 kernel: [157335.232732] IN=ppp0 OUT= MAC=
SRC=65.113.230.90 DST=x.x.x.x LEN=73 TOS=0x00 PREC=0x00 TTL=249 ID=23786
PROTO=UDP SPT=53 DPT=420 LEN=53
I guess my question is, is this desired behavior? I see the
dns_unmatched_reply, but it seems the first two entries never
happened...so should they be there? Thanks...more of a curious question
more than anything else.
James
More information about the Bro
mailing list