[Bro] Lying about DNS yields interesting bro entries

[Seth Hall]

> On Feb 3, 2016, at 8:46 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> Thanks Jan...I think I finally explained it well enough that Seth is able to look at it.  At the end of the day the question for me is when an unsolicited dns response comes in from source port 53 to destination port 420, why does bro show my machine as the originator of the traffic.  Guess I should have just said that in the first place 8-|

Hah, I actually answered your question in the first reply, but then I got confused when I looked at your reply to that email.

Anyway, what Bro is doing is using port 53/udp as a heuristic and it's taking a guess that it may have the originator and responder backwards so it flips them.  One thing I've been meaning to add for a long time is an indicator in the conn.log for connections that were flipped.  At the very least it would be nice to know if Bro flipped the connection in it's attempt to analyze the traffic correctly.  

It does make for some subtlety in analyzing logs if you don't know that Bro is doing that.  Especially in cases like this where only a single packet was sent from outside your network.  The biggest thing to keep in mind that originator and responder are very different concepts than source and destination.  src and dst work perfectly if you're talking about individual packets, but when you're talking about a connection composed of two flows and many packets, originator and responder work much better.
 
 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/