[Bro] Lying about DNS yields interesting bro entries
Jan Grashöfer
jan.grashoefer at gmail.com
Wed Feb 3 02:28:55 PST 2016
Hi,
> I am actually seeing the issue you're getting now. It's like the IP addresses were flipped but the ports weren't. To be completely honest, I don't know what's causing that without seeing the actual traffic. Could you send a packet that causes this behavior?
I think you are talking past each other. If I am not mistaken, James is
struggling with the originator/responder pattern of Bro. I guess he just
forgot to swap ports in his made up log line.
So the question would be: Why is the source IP logged as the responder's
IP for the unmatched reply?
That would be because source/destination is not equal to
originator/responder. At first Bro assumes the source is the originator.
But then Bro identifies the packet as a DNS response and therefore
determines the source IP as the responder's IP. So orig/resp get flipped
as Seth wrote:
> Bro is also (correctly) flipping the connection around which you can see in the conn.log because the originator of the "connection" never sent any packets.
Did I get this right, James, or are you really struggling with flipped
ports?
Jan
More information about the Bro
mailing list