[Bro] Lying about DNS yields interesting bro entries

anthony kasza anthony.kasza at gmail.com
Tue Feb 2 10:56:11 PST 2016 

It sounds like the oddness is around the orig_h and resp_h of unmatched
replies.
Which system originated a connection of an unmatched DNS reply? That begs
the question: was the reply unsolicited or did Bro miss the request?

-AK
On Feb 2, 2016 9:18 AM, "James Lay" <jlay at slave-tothe-box.net> wrote:

> On 2016-02-02 09:20, Seth Hall wrote:
> >> On Feb 1, 2016, at 6:31 PM, James Lay <jlay at slave-tothe-box.net>
> >> wrote:
> >>
> >> I guess my question is, is this desired behavior?  I see the
> >> dns_unmatched_reply, but it seems the first two entries never
> >> happened...so should they be there?  Thanks...more of a curious
> >> question
> >> more than anything else.
> >
> > Which two entries are you referring to?  This looks correct to me.  It
> > looks like you saw a stray DNS response message, but there was no
> > query.
> >
> >   .Seth
> >
> > --
> > Seth Hall
> > International Computer Science Institute
> > (Bro) because everyone has a network
> > http://www.bro.org/
>
> Hi Seth,
>
> Pretty sure this is me missing something first off.  But to be honest
> all the entries:
>
> 2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53      udp
>      dns     -       -       -       SHR     T      F0       d       0
>     0       1       73      (empty)
> 2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53      udp
>      21365   -       -       -       -       -      2SERVFAIL        F
>     F       F       F       0       -       -       T
> 2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53
> dns_unmatched_reply     -       F       bro
>
>
> The above says to me "x.x.x.x sent data to 65.113.230.90 on port 53, and
> got a servfail response, and this was actually an unmatched dns
> response".  But in reality, this is what happened:
>
> 2016-02-01T08:48:12-0700  65.113.230.90    53   x.x.x.x    420
> dns_unmatched_reply     -       F       bro
>
> 65.113.230.90 was the id.orig_h, not x.x.x.x, but as I read the first
> three they state that x.x.x.x was the id.orig_h.  But in fact per this
> drop:
>
> Feb  1 08:48:12 kernel: [157335.232732] IN=ppp0 OUT= MAC=
> SRC=65.113.230.90 DST=x.x.x.x LEN=73 TOS=0x00 PREC=0x00 TTL=249 ID=23786
> PROTO=UDP SPT=53 DPT=420 LEN=53
>
> x.x.x.x did not send any traffic to 65.113.230.90, even though conn,
> dns, and weird.  As I look at it though, I think it's me needing to get
> over reading left to right with Bro :)  Thanks Seth...hope that makes
> sense.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160202/6164d011/attachment-0001.html

More information about the Bro mailing list