[Bro] Lying about DNS yields interesting bro entries
Seth Hall
seth at icir.org
Tue Feb 2 20:59:40 PST 2016
> On Feb 2, 2016, at 8:50 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> 2016-02-01T08:48:12-0700 65.113.230.90 420 x.x.x.x 53 dns_unmatched_reply - F bro
>
> Not trying to beat a dead horse here...just trying to understand how Bro is treating a DNS response that it never saw requested. Thanks all.
Hah, not a problem. A lot of this stuff has so many edge cases and fairly arbitrary decisions on how to handle various situations deep down in scripts.
I am actually seeing the issue you're getting now. It's like the IP addresses were flipped but the ports weren't. To be completely honest, I don't know what's causing that without seeing the actual traffic. Could you send a packet that causes this behavior?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list