[Bro] Lying about DNS yields interesting bro entries
James Lay
jlay at slave-tothe-box.net
Tue Feb 2 09:01:45 PST 2016
On 2016-02-02 09:20, Seth Hall wrote:
>> On Feb 1, 2016, at 6:31 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>> I guess my question is, is this desired behavior? I see the
>> dns_unmatched_reply, but it seems the first two entries never
>> happened...so should they be there? Thanks...more of a curious
>> question
>> more than anything else.
>
> Which two entries are you referring to? This looks correct to me. It
> looks like you saw a stray DNS response message, but there was no
> query.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Hi Seth,
Pretty sure this is me missing something first off. But to be honest
all the entries:
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53 udp
dns - - - SHR T F0 d 0
0 1 73 (empty)
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53 udp
21365 - - - - - 2SERVFAIL F
F F F 0 - - T
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
dns_unmatched_reply - F bro
The above says to me "x.x.x.x sent data to 65.113.230.90 on port 53, and
got a servfail response, and this was actually an unmatched dns
response". But in reality, this is what happened:
2016-02-01T08:48:12-0700 65.113.230.90 53 x.x.x.x 420
dns_unmatched_reply - F bro
65.113.230.90 was the id.orig_h, not x.x.x.x, but as I read the first
three they state that x.x.x.x was the id.orig_h. But in fact per this
drop:
Feb 1 08:48:12 kernel: [157335.232732] IN=ppp0 OUT= MAC=
SRC=65.113.230.90 DST=x.x.x.x LEN=73 TOS=0x00 PREC=0x00 TTL=249 ID=23786
PROTO=UDP SPT=53 DPT=420 LEN=53
x.x.x.x did not send any traffic to 65.113.230.90, even though conn,
dns, and weird. As I look at it though, I think it's me needing to get
over reading left to right with Bro :) Thanks Seth...hope that makes
sense.
James
More information about the Bro
mailing list