From sebclaut at gmail.com Thu Sep 1 00:44:06 2016 From: sebclaut at gmail.com (clautos) Date: Thu, 1 Sep 2016 09:44:06 +0200 Subject: [Bro] [bro] extracting and submitting files - malware analysis Message-ID: Hello, I've just installed a security onion (the last release in date) for testing purposes and I'm trying to extract files plus scan them with virustotal or any other engine in an automated way. I've seen the script detect-MHR.bro that seems appropriate for that. I've downloaded a pcap containing some adult websites samples including malware executables downloaded by the client. I've ran the command bro -r ~/Downloads/zeus-sample-1.pcap /opt/bro/share/bro/policy/frameworks/files/extract-all-files.bro Everything fine, I have the malware sample but when I run the command bro -r ~/Downloads/zeus-sample-1.pcap /opt/bro/share/bro/policy/fram eworks/files/hash-all-files.bro I get no output, same for the command detect-MHR. So my questions are : Did I miss something ? Was the output sent somewhere else than the current repository ? (btw the executable is flagged red by almost 50 antivirus engines on VirusTotal) Is there any better solution for automated malware samples in files detection ? Thanks for your reply -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160901/1cee03e1/attachment.html From newfire.bw at gmail.com Thu Sep 1 01:44:30 2016 From: newfire.bw at gmail.com (Bowen Li) Date: Thu, 1 Sep 2016 16:44:30 +0800 Subject: [Bro] Bro with PF_RING receive repeating data packets Message-ID: Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160901/5e8dfed3/attachment.html From kevin at branchnetconsulting.com Thu Sep 1 06:54:33 2016 From: kevin at branchnetconsulting.com (Kevin Branch) Date: Thu, 1 Sep 2016 09:54:33 -0400 Subject: [Bro] Option to make Bro willing to decode http sessions not preceded by tcp handshake? Message-ID: I use Bro in the context of Security Onion, and I find that recurrently session extraction with capME does not get the whole session, especially with tcp/80 connections that might be kept alive for several minutes while servicing multiple http requests. The extracted subset of the session packets are valid http requests and replies, but Bro does not decode them as http, only as a tcp/80 connection, if the tcp handshake packets are not at the start of the pcap. For example, with a pcap containing just a single http request packet or a request and reply packet, this command outputs no http session data and writes no http.log file. bro -r /example.cap /opt/bro/share/bro/sguild_bro/TCPUDPFlow.bro but if that pcap has the 3 tcp handshake packets at the front, Bro outputs session data and an http.log file. I assume that Bro does not consider a stream of tcp/80 packets to be valid http traffic if the tcp handshake is missing. Is there any way to ask Bro to be more forgiving about this? Perhaps a no_sweat_the_handshake option? If so, I believe it would substantially cut down on the number of capME failures experienced by Security Onion users. Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160901/36ce4bf9/attachment.html From seth at icir.org Thu Sep 1 07:28:38 2016 From: seth at icir.org (Seth Hall) Date: Thu, 1 Sep 2016 10:28:38 -0400 Subject: [Bro] Option to make Bro willing to decode http sessions not preceded by tcp handshake? In-Reply-To: References: Message-ID: <4A4C3110-6CB2-4B39-B8A6-7285E36B8EFC@icir.org> > On Sep 1, 2016, at 9:54 AM, Kevin Branch wrote: > > I assume that Bro does not consider a stream of tcp/80 packets to be valid http traffic if the tcp handshake is missing. Is there any way to ask Bro to be more forgiving about this? Perhaps a no_sweat_the_handshake option? If so, I believe it would substantially cut down on the number of capME failures experienced by Security Onion users. That change to the http analyzer has long been needed, but we haven't had the available time to implement it yet because we would need to implement a stream resynchronization mechanism for the HTTP analyzer and it's not trivial with the current analyzer. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Thu Sep 1 08:23:04 2016 From: seth at icir.org (Seth Hall) Date: Thu, 1 Sep 2016 11:23:04 -0400 Subject: [Bro] Bro with PF_RING receive repeating data packets In-Reply-To: References: Message-ID: <548BF782-456D-46E9-A34F-82C27C2F7E83@icir.org> > On Sep 1, 2016, at 4:44 AM, Bowen Li wrote: > > On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. That sounds like an issue with PF_Ring. I would check their documentation and mailing list to see if they only support 32 rings. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From kevin at branchnetconsulting.com Thu Sep 1 10:19:04 2016 From: kevin at branchnetconsulting.com (Kevin Branch) Date: Thu, 1 Sep 2016 13:19:04 -0400 Subject: [Bro] Option to make Bro willing to decode http sessions not preceded by tcp handshake? In-Reply-To: <4A4C3110-6CB2-4B39-B8A6-7285E36B8EFC@icir.org> References: <4A4C3110-6CB2-4B39-B8A6-7285E36B8EFC@icir.org> Message-ID: Thanks, Seth. I appreciate the update on the issue. For now I can substantially mitigate this problem by increasing the pcap file rollover size so that more often the entire stream to be extracted is in a single pcap file to begin with. All the same, it will be great when you all find the time to implement stream resynchronization in the HTTP analyzer. I have really grown to appreciate and lean on Bro more over the last few years. When I got started with Security Onion I saw Bro as an interesting add-on alongside Snort/Suricata but now it's like a major part of the engine of the whole NSM solution. Thanks for all your great work on this! Kevin On Thu, Sep 1, 2016 at 10:28 AM, Seth Hall wrote: > > > On Sep 1, 2016, at 9:54 AM, Kevin Branch > wrote: > > > > I assume that Bro does not consider a stream of tcp/80 packets to be > valid http traffic if the tcp handshake is missing. Is there any way to > ask Bro to be more forgiving about this? Perhaps a no_sweat_the_handshake > option? If so, I believe it would substantially cut down on the number of > capME failures experienced by Security Onion users. > > That change to the http analyzer has long been needed, but we haven't had > the available time to implement it yet because we would need to implement a > stream resynchronization mechanism for the HTTP analyzer and it's not > trivial with the current analyzer. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160901/5cf29693/attachment.html From cardigliano at ntop.org Thu Sep 1 10:55:39 2016 From: cardigliano at ntop.org (Alfredo Cardigliano) Date: Thu, 1 Sep 2016 19:55:39 +0200 Subject: [Bro] Bro with PF_RING receive repeating data packets In-Reply-To: <548BF782-456D-46E9-A34F-82C27C2F7E83@icir.org> References: <548BF782-456D-46E9-A34F-82C27C2F7E83@icir.org> Message-ID: <0DE86941-FA7F-4352-ADDB-8F983EF403A6@ntop.org> Hi all there is a limit to the number of sockets in a pf_ring kernel cluster, it used to be 32, now I increased it to 64 which I guess should be enough. Alfredo > On 01 Sep 2016, at 17:23, Seth Hall wrote: > > >> On Sep 1, 2016, at 4:44 AM, Bowen Li wrote: >> >> On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. > > That sounds like an issue with PF_Ring. I would check their documentation and mailing list to see if they only support 32 rings. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160901/0f2ddfa6/attachment-0001.bin From newfire.bw at gmail.com Thu Sep 1 18:43:55 2016 From: newfire.bw at gmail.com (Bowen Li) Date: Fri, 2 Sep 2016 09:43:55 +0800 Subject: [Bro] Bro with PF_RING receive repeating data packets In-Reply-To: <0DE86941-FA7F-4352-ADDB-8F983EF403A6@ntop.org> References: <548BF782-456D-46E9-A34F-82C27C2F7E83@icir.org> <0DE86941-FA7F-4352-ADDB-8F983EF403A6@ntop.org> Message-ID: Hi all, Thanks for your reply. I found a definition in kernel/linux/pf_ring.h in PF_RING source code. The "CLUSTER_LEN" define the maximum of sockets a cluster can holds. Now I`m sure it is a issue with PF_RING. And I also increased "CLUSTER_LEN" to 64 and it seems like everything is okay. But I`m still confuse about why the limit set to 32 and whether it is right to modify the source code. Will it affect the stability of PF_RING and Bro? Bowen 2016-09-02 1:55 GMT+08:00 Alfredo Cardigliano : > Hi all > there is a limit to the number of sockets in a pf_ring kernel cluster, > it used to be 32, now I increased it to 64 which I guess should be enough. > > Alfredo > > > On 01 Sep 2016, at 17:23, Seth Hall wrote: > > > > > >> On Sep 1, 2016, at 4:44 AM, Bowen Li wrote: > >> > >> On my server, when I have less than 32 worker threads(rings), > everything is okay, but when I use worker threads more than 32, pf_ring > start to receive repeating data packets. For example, rings less than 32, I > send 400000 packets to server and pf_ring info in /proc shows there is > 400000 packets in rings, but when rings greater than 32, I can get 800000 > packets when 33 rings and 1200000 packets when 34 rings and so on. > > > > That sounds like an issue with PF_Ring. I would check their > documentation and mailing list to see if they only support 32 rings. > > > > .Seth > > > > -- > > Seth Hall > > International Computer Science Institute > > (Bro) because everyone has a network > > http://www.bro.org/ > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160902/a410c550/attachment.html From jlay at slave-tothe-box.net Fri Sep 2 15:57:38 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Fri, 02 Sep 2016 16:57:38 -0600 Subject: [Bro] Bro connections v. NetFlow In-Reply-To: References: <8350146BADDCE04480B969B36967473D13F090CB@ZEUS.olympus.dataline.co.uk> Message-ID: <8cc4de3fac7bc6a73f568a862218ab43@localhost> On 2016-08-30 11:03, James Lay wrote: > On 2016-08-30 10:53, Seth Hall wrote: >>> On Aug 30, 2016, at 12:44 PM, Micha? Purzy?ski >>> wrote: >>> >>> Have you tested it with loooots of connections? How hard it is on the >>> memory and CPU? >> >> It hasn't been tested very extensively, but I wouldn't expect it to >> have much trouble with either memory or CPU since it's just riding on >> top of the existing connection state mechanism. >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro.org/ >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > Imma test this out Seth thank you...I'll report findings here. > > James Yea this worked well: #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path conn_long #open 2016-09-02-13-33-11 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1472843591.734071 CVFKX14EPP6mzgoKta 192.168.1.3 61648 172.217.3.174 443 tcp - 1193.913203 0 23239 OTH T F0 had 0 0 565 52825 (empty) I see this in the script\main.bro: ## The default duration that you are locally ## considering a connection to be "long". const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs, 3days) &redef; I'd like to see an example of redefing this to a different time. Also, a whitelist of IP's not to be included would be next. I have a lot of use cases...truth be told I'm "kind of" doing something similar with grep/sed/awk and the current conn_log for tracking "unusual" long sessions. For example, a netblock, say 172.16.1.0/24 is dedicated to VPN connections, which I expect to be longer as they are a constant session, so i'd want to ignore those in my conn_long file. Thanks Seth! James From gl89 at cornell.edu Fri Sep 2 06:35:55 2016 From: gl89 at cornell.edu (Glenn Forbes Fleming Larratt) Date: Fri, 2 Sep 2016 09:35:55 -0400 (EDT) Subject: [Bro] "broctl cron" running every 5 mins, and side effects Message-ID: Can anyone comment on what "broctl cron" is actually doing? My DNS admin reported to me that, at 5-minute intervals, my six bro hosts (1x manager+proxy, 5 workers) are spewing DNS queries in the thousands, all forward and reverse lookups of themselves and each other (sample appended). It *seems* to be correlated in time with the running of "broctl cron". Thanks for any info, -- Glenn Forbes Fleming Larratt Cornell University IT Security Office 12:10:01.862632 IP 10.x.x.49.54248 > my.qry.DNS.svr.domain: 62930+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.862649 IP 10.x.x.49.47831 > my.qry.DNS.svr.domain: 20155+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.863608 IP 10.x.x.49.35292 > my.qry.DNS.svr.domain: 3148+ A? bromgr.....cornell.edu. (47) 12:10:01.863625 IP 10.x.x.49.39726 > my.qry.DNS.svr.domain: 34394+ A? bromgr.....cornell.edu. (47) 12:10:01.864848 IP 10.x.x.40.57883 > my.qry.DNS.svr.domain: 16737+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.864866 IP 10.x.x.40.52387 > my.qry.DNS.svr.domain: 27636+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.865834 IP 10.x.x.40.51111 > my.qry.DNS.svr.domain: 28396+ A? bro02.....cornell.edu. (46) 12:10:01.866090 IP 10.x.x.40.41116 > my.qry.DNS.svr.domain: 30950+ A? bro02.....cornell.edu. (46) 12:10:01.866800 IP 10.x.x.51.46093 > my.qry.DNS.svr.domain: 16521+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.867072 IP 10.x.x.40.52012 > my.qry.DNS.svr.domain: 30674+ A? bro02.....cornell.edu. (46) 12:10:01.867093 IP 10.x.x.40.52012 > my.qry.DNS.svr.domain: 26819+ AAAA? bro02.....cornell.edu. (46) 12:10:01.867315 IP 10.x.x.40.50623 > my.qry.DNS.svr.domain: 19906+ A? bro02.....cornell.edu. (46) 12:10:01.867331 IP 10.x.x.40.50623 > my.qry.DNS.svr.domain: 37542+ AAAA? bro02.....cornell.edu. (46) 12:10:01.867801 IP 10.x.x.51.58991 > my.qry.DNS.svr.domain: 21089+ A? bromgr.....cornell.edu. (47) 12:10:01.867815 IP 10.x.x.40.36421 > my.qry.DNS.svr.domain: 57776+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.868048 IP 10.x.x.40.57887 > my.qry.DNS.svr.domain: 24453+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.869037 IP 10.x.x.40.59421 > my.qry.DNS.svr.domain: 5599+ A? bro02.....cornell.edu. (46) 12:10:01.869052 IP 10.x.x.40.38127 > my.qry.DNS.svr.domain: 30449+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:01.869064 IP 10.x.x.40.59421 > my.qry.DNS.svr.domain: 59670+ AAAA? bro02.....cornell.edu. (46) 12:10:01.869282 IP 10.x.x.40.44834 > my.qry.DNS.svr.domain: 38883+ A? bro02.....cornell.edu. (46) 12:10:01.869295 IP 10.x.x.40.44834 > my.qry.DNS.svr.domain: 51017+ AAAA? bro02.....cornell.edu. (46) 12:10:01.870033 IP 10.x.x.40.57587 > my.qry.DNS.svr.domain: 27320+ A? bro04.....cornell.edu. (46) 12:10:01.870052 IP 10.x.x.40.48851 > my.qry.DNS.svr.domain: 42790+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.870058 IP 10.x.x.40.35732 > my.qry.DNS.svr.domain: 37149+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.871234 IP 10.x.x.40.45771 > my.qry.DNS.svr.domain: 65476+ A? bro02.....cornell.edu. (46) 12:10:01.871243 IP 10.x.x.40.45771 > my.qry.DNS.svr.domain: 13163+ AAAA? bro02.....cornell.edu. (46) 12:10:01.871248 IP 10.x.x.40.47947 > my.qry.DNS.svr.domain: 16977+ A? bro04.....cornell.edu. (46) 12:10:01.871253 IP 10.x.x.40.47947 > my.qry.DNS.svr.domain: 49908+ AAAA? bro04.....cornell.edu. (46) 12:10:01.871257 IP 10.x.x.40.33735 > my.qry.DNS.svr.domain: 30865+ A? bro02.....cornell.edu. (46) 12:10:01.871261 IP 10.x.x.40.33735 > my.qry.DNS.svr.domain: 32528+ AAAA? bro02.....cornell.edu. (46) 12:10:01.871986 IP 10.x.x.40.58157 > my.qry.DNS.svr.domain: 20119+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:01.872007 IP 10.x.x.40.42424 > my.qry.DNS.svr.domain: 44521+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.872237 IP 10.x.x.40.38050 > my.qry.DNS.svr.domain: 49017+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.873214 IP 10.x.x.40.54234 > my.qry.DNS.svr.domain: 22908+ A? bro02.....cornell.edu. (46) 12:10:01.873236 IP 10.x.x.40.54234 > my.qry.DNS.svr.domain: 64793+ AAAA? bro02.....cornell.edu. (46) 12:10:01.873467 IP 10.x.x.40.33952 > my.qry.DNS.svr.domain: 24744+ A? bro04.....cornell.edu. (46) 12:10:01.873485 IP 10.x.x.40.33952 > my.qry.DNS.svr.domain: 19139+ AAAA? bro04.....cornell.edu. (46) 12:10:01.873491 IP 10.x.x.40.42816 > my.qry.DNS.svr.domain: 55789+ A? bro02.....cornell.edu. (46) 12:10:01.873496 IP 10.x.x.40.42816 > my.qry.DNS.svr.domain: 45929+ AAAA? bro02.....cornell.edu. (46) 12:10:01.873960 IP 10.x.x.40.48020 > my.qry.DNS.svr.domain: 5907+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.874187 IP 10.x.x.40.50248 > my.qry.DNS.svr.domain: 16685+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.874448 IP 10.x.x.40.41302 > my.qry.DNS.svr.domain: 5290+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:01.875698 IP 10.x.x.40.37912 > my.qry.DNS.svr.domain: 16898+ A? bro04.....cornell.edu. (46) 12:10:01.875716 IP 10.x.x.40.37912 > my.qry.DNS.svr.domain: 7270+ AAAA? bro04.....cornell.edu. (46) 12:10:01.876662 IP 10.x.x.40.49149 > my.qry.DNS.svr.domain: 54894+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:01.878143 IP 10.x.x.40.39874 > my.qry.DNS.svr.domain: 65220+ A? bro04.....cornell.edu. (46) 12:10:01.878167 IP 10.x.x.40.39874 > my.qry.DNS.svr.domain: 16935+ AAAA? bro04.....cornell.edu. (46) 12:10:01.878875 IP 10.x.x.40.33360 > my.qry.DNS.svr.domain: 57429+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:01.879371 IP 10.x.x.49.41577 > my.qry.DNS.svr.domain: 32420+ A? bromgr.....cornell.edu. (47) 12:10:01.879389 IP 10.x.x.49.41577 > my.qry.DNS.svr.domain: 5375+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.879395 IP 10.x.x.49.33223 > my.qry.DNS.svr.domain: 32618+ A? bromgr.....cornell.edu. (47) 12:10:01.879400 IP 10.x.x.49.33223 > my.qry.DNS.svr.domain: 14994+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.881103 IP 10.x.x.49.52767 > my.qry.DNS.svr.domain: 13234+ A? bromgr.....cornell.edu. (47) 12:10:01.881131 IP 10.x.x.49.52302 > my.qry.DNS.svr.domain: 56221+ A? bromgr.....cornell.edu. (47) 12:10:01.881138 IP 10.x.x.49.52767 > my.qry.DNS.svr.domain: 45275+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.881143 IP 10.x.x.49.52302 > my.qry.DNS.svr.domain: 47430+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.882299 IP 10.x.x.49.51045 > my.qry.DNS.svr.domain: 26878+ A? bromgr.....cornell.edu. (47) 12:10:01.882311 IP 10.x.x.49.47893 > my.qry.DNS.svr.domain: 46793+ A? bromgr.....cornell.edu. (47) 12:10:01.882317 IP 10.x.x.49.51045 > my.qry.DNS.svr.domain: 1984+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.882326 IP 10.x.x.49.47893 > my.qry.DNS.svr.domain: 5570+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.883297 IP 10.x.x.51.42941 > my.qry.DNS.svr.domain: 59485+ A? bromgr.....cornell.edu. (47) 12:10:01.883316 IP 10.x.x.51.42941 > my.qry.DNS.svr.domain: 22139+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.883770 IP 10.x.x.49.43203 > my.qry.DNS.svr.domain: 34663+ A? bromgr.....cornell.edu. (47) 12:10:01.883784 IP 10.x.x.49.43203 > my.qry.DNS.svr.domain: 25129+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.884282 IP 10.x.x.49.46859 > my.qry.DNS.svr.domain: 22703+ A? bromgr.....cornell.edu. (47) 12:10:01.884302 IP 10.x.x.49.46859 > my.qry.DNS.svr.domain: 42674+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.884992 IP 10.x.x.49.46255 > my.qry.DNS.svr.domain: 61204+ A? bromgr.....cornell.edu. (47) 12:10:01.885017 IP 10.x.x.49.46255 > my.qry.DNS.svr.domain: 19829+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.885245 IP 10.x.x.51.52587 > my.qry.DNS.svr.domain: 12394+ A? bromgr.....cornell.edu. (47) 12:10:01.885261 IP 10.x.x.51.52587 > my.qry.DNS.svr.domain: 35439+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.885511 IP 10.x.x.49.55862 > my.qry.DNS.svr.domain: 45361+ A? bromgr.....cornell.edu. (47) 12:10:01.885529 IP 10.x.x.49.55862 > my.qry.DNS.svr.domain: 19627+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.885744 IP 10.x.x.49.38395 > my.qry.DNS.svr.domain: 7852+ A? bromgr.....cornell.edu. (47) 12:10:01.885758 IP 10.x.x.49.38395 > my.qry.DNS.svr.domain: 20205+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.886259 IP 10.x.x.49.40515 > my.qry.DNS.svr.domain: 23615+ A? bromgr.....cornell.edu. (47) 12:10:01.886276 IP 10.x.x.49.40515 > my.qry.DNS.svr.domain: 10462+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.886488 IP 10.x.x.51.37668 > my.qry.DNS.svr.domain: 25637+ A? bromgr.....cornell.edu. (47) 12:10:01.886502 IP 10.x.x.51.37668 > my.qry.DNS.svr.domain: 23270+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.888201 IP 10.x.x.51.56044 > my.qry.DNS.svr.domain: 63637+ A? bromgr.....cornell.edu. (47) 12:10:01.888206 IP 10.x.x.51.56044 > my.qry.DNS.svr.domain: 10847+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.888694 IP 10.x.x.49.55309 > my.qry.DNS.svr.domain: 26648+ A? bromgr.....cornell.edu. (47) 12:10:01.888707 IP 10.x.x.49.55309 > my.qry.DNS.svr.domain: 9293+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.889425 IP 10.x.x.51.55130 > my.qry.DNS.svr.domain: 41207+ A? bromgr.....cornell.edu. (47) 12:10:01.889444 IP 10.x.x.51.55130 > my.qry.DNS.svr.domain: 14870+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.889666 IP 10.x.x.49.38366 > my.qry.DNS.svr.domain: 19959+ A? bromgr.....cornell.edu. (47) 12:10:01.889690 IP 10.x.x.49.38366 > my.qry.DNS.svr.domain: 35499+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.890653 IP 10.x.x.49.33187 > my.qry.DNS.svr.domain: 60799+ A? bromgr.....cornell.edu. (47) 12:10:01.890656 IP 10.x.x.51.52977 > my.qry.DNS.svr.domain: 59549+ A? bromgr.....cornell.edu. (47) 12:10:01.890674 IP 10.x.x.49.33187 > my.qry.DNS.svr.domain: 45659+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.890676 IP 10.x.x.51.52977 > my.qry.DNS.svr.domain: 20013+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.891396 IP 10.x.x.49.58748 > my.qry.DNS.svr.domain: 52591+ A? bromgr.....cornell.edu. (47) 12:10:01.891415 IP 10.x.x.49.58748 > my.qry.DNS.svr.domain: 26250+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.894606 IP 10.x.x.51.44634 > my.qry.DNS.svr.domain: 35975+ A? bromgr.....cornell.edu. (47) 12:10:01.894626 IP 10.x.x.51.44634 > my.qry.DNS.svr.domain: 9965+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.894839 IP 10.x.x.40.60396 > my.qry.DNS.svr.domain: 51025+ A? bro02.....cornell.edu. (46) 12:10:01.894865 IP 10.x.x.40.60396 > my.qry.DNS.svr.domain: 51088+ AAAA? bro02.....cornell.edu. (46) 12:10:01.895345 IP 10.x.x.51.45370 > my.qry.DNS.svr.domain: 48305+ A? bromgr.....cornell.edu. (47) 12:10:01.895366 IP 10.x.x.51.45370 > my.qry.DNS.svr.domain: 30336+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.896073 IP 10.x.x.40.36521 > my.qry.DNS.svr.domain: 33480+ A? bro02.....cornell.edu. (46) 12:10:01.896092 IP 10.x.x.40.36521 > my.qry.DNS.svr.domain: 125+ AAAA? bro02.....cornell.edu. (46) 12:10:01.896553 IP 10.x.x.51.48492 > my.qry.DNS.svr.domain: 33880+ A? bromgr.....cornell.edu. (47) 12:10:01.896570 IP 10.x.x.51.48492 > my.qry.DNS.svr.domain: 25144+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.897541 IP 10.x.x.51.49669 > my.qry.DNS.svr.domain: 15577+ A? bromgr.....cornell.edu. (47) 12:10:01.897566 IP 10.x.x.51.49669 > my.qry.DNS.svr.domain: 43651+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.900005 IP 10.x.x.49.49242 > my.qry.DNS.svr.domain: 49647+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.900023 IP 10.x.x.40.57432 > my.qry.DNS.svr.domain: 45140+ A? bro05.....cornell.edu. (46) 12:10:01.900031 IP 10.x.x.40.57432 > my.qry.DNS.svr.domain: 19090+ AAAA? bro05.....cornell.edu. (46) 12:10:01.900994 IP 10.x.x.49.36723 > my.qry.DNS.svr.domain: 15285+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.901019 IP 10.x.x.49.41528 > my.qry.DNS.svr.domain: 27378+ A? bromgr.....cornell.edu. (47) 12:10:01.901733 IP 10.x.x.49.42838 > my.qry.DNS.svr.domain: 46411+ A? bromgr.....cornell.edu. (47) 12:10:01.906424 IP 10.x.x.52.41145 > my.qry.DNS.svr.domain: 46113+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.907397 IP 10.x.x.52.34259 > my.qry.DNS.svr.domain: 61982+ A? bromgr.....cornell.edu. (47) 12:10:01.946686 IP 10.x.x.49.35018 > my.qry.DNS.svr.domain: 16018+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.946704 IP 10.x.x.49.51217 > my.qry.DNS.svr.domain: 48020+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.947661 IP 10.x.x.49.51471 > my.qry.DNS.svr.domain: 8799+ A? bromgr.....cornell.edu. (47) 12:10:01.947680 IP 10.x.x.49.44934 > my.qry.DNS.svr.domain: 49015+ A? bromgr.....cornell.edu. (47) 12:10:01.948661 IP 10.x.x.40.47088 > my.qry.DNS.svr.domain: 52085+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.948898 IP 10.x.x.40.50637 > my.qry.DNS.svr.domain: 64636+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.949381 IP 10.x.x.40.38088 > my.qry.DNS.svr.domain: 18017+ A? bro02.....cornell.edu. (46) 12:10:01.949649 IP 10.x.x.40.53351 > my.qry.DNS.svr.domain: 27471+ A? bro02.....cornell.edu. (46) 12:10:01.950406 IP 10.x.x.40.46936 > my.qry.DNS.svr.domain: 48586+ A? bro02.....cornell.edu. (46) 12:10:01.950426 IP 10.x.x.40.46936 > my.qry.DNS.svr.domain: 32830+ AAAA? bro02.....cornell.edu. (46) 12:10:01.950625 IP 10.x.x.40.33328 > my.qry.DNS.svr.domain: 54000+ A? bro02.....cornell.edu. (46) 12:10:01.950643 IP 10.x.x.40.33328 > my.qry.DNS.svr.domain: 34202+ AAAA? bro02.....cornell.edu. (46) 12:10:01.951181 IP 10.x.x.40.42677 > my.qry.DNS.svr.domain: 4885+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.951371 IP 10.x.x.40.38838 > my.qry.DNS.svr.domain: 40098+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.952355 IP 10.x.x.40.60983 > my.qry.DNS.svr.domain: 13962+ A? bro02.....cornell.edu. (46) 12:10:01.952380 IP 10.x.x.40.60983 > my.qry.DNS.svr.domain: 56585+ AAAA? bro02.....cornell.edu. (46) 12:10:01.952595 IP 10.x.x.40.51746 > my.qry.DNS.svr.domain: 42900+ A? bro02.....cornell.edu. (46) 12:10:01.952613 IP 10.x.x.40.51746 > my.qry.DNS.svr.domain: 4751+ AAAA? bro02.....cornell.edu. (46) 12:10:01.953103 IP 10.x.x.40.39144 > my.qry.DNS.svr.domain: 41310+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.953331 IP 10.x.x.40.53073 > my.qry.DNS.svr.domain: 43526+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.954082 IP 10.x.x.40.54223 > my.qry.DNS.svr.domain: 49502+ A? bro02.....cornell.edu. (46) 12:10:01.954101 IP 10.x.x.40.54223 > my.qry.DNS.svr.domain: 21865+ AAAA? bro02.....cornell.edu. (46) 12:10:01.954321 IP 10.x.x.40.49606 > my.qry.DNS.svr.domain: 24308+ A? bro02.....cornell.edu. (46) 12:10:01.954337 IP 10.x.x.40.49606 > my.qry.DNS.svr.domain: 41706+ AAAA? bro02.....cornell.edu. (46) 12:10:01.955060 IP 10.x.x.52.42571 > my.qry.DNS.svr.domain: 23463+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.955075 IP 10.x.x.40.41744 > my.qry.DNS.svr.domain: 51863+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.955291 IP 10.x.x.40.34178 > my.qry.DNS.svr.domain: 57791+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.956045 IP 10.x.x.52.53389 > my.qry.DNS.svr.domain: 4479+ A? bromgr.....cornell.edu. (47) 12:10:01.956086 IP 10.x.x.40.43928 > my.qry.DNS.svr.domain: 29978+ A? bro02.....cornell.edu. (46) 12:10:01.956100 IP 10.x.x.40.43928 > my.qry.DNS.svr.domain: 57511+ AAAA? bro02.....cornell.edu. (46) 12:10:01.956548 IP 10.x.x.40.35335 > my.qry.DNS.svr.domain: 38040+ A? bro02.....cornell.edu. (46) 12:10:01.956562 IP 10.x.x.40.35335 > my.qry.DNS.svr.domain: 52089+ AAAA? bro02.....cornell.edu. (46) 12:10:01.956782 IP 10.x.x.40.40732 > my.qry.DNS.svr.domain: 21414+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.957259 IP 10.x.x.40.57415 > my.qry.DNS.svr.domain: 611+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:01.957509 IP 10.x.x.40.54788 > my.qry.DNS.svr.domain: 3223+ PTR? 52.x.x.10.in-addr.arpa. (43) 12:10:01.958485 IP 10.x.x.40.45467 > my.qry.DNS.svr.domain: 37017+ A? bro05.....cornell.edu. (46) 12:10:01.959477 IP 10.x.x.40.35428 > my.qry.DNS.svr.domain: 59454+ A? bro05.....cornell.edu. (46) 12:10:01.959490 IP 10.x.x.40.35428 > my.qry.DNS.svr.domain: 16622+ AAAA? bro05.....cornell.edu. (46) 12:10:01.960461 IP 10.x.x.40.57346 > my.qry.DNS.svr.domain: 42817+ PTR? 52.x.x.10.in-addr.arpa. (43) 12:10:01.961702 IP 10.x.x.40.35291 > my.qry.DNS.svr.domain: 28498+ A? bro05.....cornell.edu. (46) 12:10:01.961720 IP 10.x.x.40.35291 > my.qry.DNS.svr.domain: 55147+ AAAA? bro05.....cornell.edu. (46) 12:10:01.962673 IP 10.x.x.49.33996 > my.qry.DNS.svr.domain: 54047+ A? bromgr.....cornell.edu. (47) 12:10:01.962688 IP 10.x.x.49.33996 > my.qry.DNS.svr.domain: 4085+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.962695 IP 10.x.x.40.37107 > my.qry.DNS.svr.domain: 58954+ PTR? 52.x.x.10.in-addr.arpa. (43) 12:10:01.963158 IP 10.x.x.49.44148 > my.qry.DNS.svr.domain: 14122+ A? bromgr.....cornell.edu. (47) 12:10:01.963177 IP 10.x.x.49.44148 > my.qry.DNS.svr.domain: 2279+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.963651 IP 10.x.x.40.47751 > my.qry.DNS.svr.domain: 36294+ A? bro05.....cornell.edu. (46) 12:10:01.963665 IP 10.x.x.40.47751 > my.qry.DNS.svr.domain: 27725+ AAAA? bro05.....cornell.edu. (46) 12:10:01.964629 IP 10.x.x.49.33078 > my.qry.DNS.svr.domain: 39070+ A? bromgr.....cornell.edu. (47) 12:10:01.964647 IP 10.x.x.49.33078 > my.qry.DNS.svr.domain: 32847+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.964653 IP 10.x.x.49.59717 > my.qry.DNS.svr.domain: 18789+ A? bromgr.....cornell.edu. (47) 12:10:01.964658 IP 10.x.x.40.47027 > my.qry.DNS.svr.domain: 18887+ PTR? 52.x.x.10.in-addr.arpa. (43) 12:10:01.964663 IP 10.x.x.49.59717 > my.qry.DNS.svr.domain: 44267+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.965620 IP 10.x.x.40.37548 > my.qry.DNS.svr.domain: 22502+ A? bro05.....cornell.edu. (46) 12:10:01.965637 IP 10.x.x.40.37548 > my.qry.DNS.svr.domain: 44304+ AAAA? bro05.....cornell.edu. (46) 12:10:01.965871 IP 10.x.x.49.50541 > my.qry.DNS.svr.domain: 15102+ A? bromgr.....cornell.edu. (47) 12:10:01.965888 IP 10.x.x.49.50541 > my.qry.DNS.svr.domain: 60596+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.965894 IP 10.x.x.49.59254 > my.qry.DNS.svr.domain: 54767+ A? bromgr.....cornell.edu. (47) 12:10:01.965899 IP 10.x.x.49.59254 > my.qry.DNS.svr.domain: 4862+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.966374 IP 10.x.x.40.53818 > my.qry.DNS.svr.domain: 13821+ PTR? 52.x.x.10.in-addr.arpa. (43) 12:10:01.968082 IP 10.x.x.49.49889 > my.qry.DNS.svr.domain: 21845+ A? bromgr.....cornell.edu. (47) 12:10:01.968108 IP 10.x.x.49.34661 > my.qry.DNS.svr.domain: 18291+ A? bromgr.....cornell.edu. (47) 12:10:01.968116 IP 10.x.x.49.49889 > my.qry.DNS.svr.domain: 2324+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.968123 IP 10.x.x.49.34661 > my.qry.DNS.svr.domain: 16384+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.969303 IP 10.x.x.49.59146 > my.qry.DNS.svr.domain: 50108+ A? bromgr.....cornell.edu. (47) 12:10:01.969322 IP 10.x.x.49.59146 > my.qry.DNS.svr.domain: 2765+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.969553 IP 10.x.x.49.53540 > my.qry.DNS.svr.domain: 63524+ A? bromgr.....cornell.edu. (47) 12:10:01.969570 IP 10.x.x.49.53540 > my.qry.DNS.svr.domain: 35670+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.970062 IP 10.x.x.49.45816 > my.qry.DNS.svr.domain: 50968+ A? bromgr.....cornell.edu. (47) 12:10:01.970076 IP 10.x.x.49.45816 > my.qry.DNS.svr.domain: 3439+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.970280 IP 10.x.x.49.45005 > my.qry.DNS.svr.domain: 23394+ A? bromgr.....cornell.edu. (47) 12:10:01.970299 IP 10.x.x.49.45005 > my.qry.DNS.svr.domain: 24438+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.970774 IP 10.x.x.52.42378 > my.qry.DNS.svr.domain: 29442+ A? bromgr.....cornell.edu. (47) 12:10:01.970791 IP 10.x.x.52.42378 > my.qry.DNS.svr.domain: 50585+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.972982 IP 10.x.x.49.51642 > my.qry.DNS.svr.domain: 36151+ A? bromgr.....cornell.edu. (47) 12:10:01.973002 IP 10.x.x.49.51642 > my.qry.DNS.svr.domain: 49927+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.973011 IP 10.x.x.52.41650 > my.qry.DNS.svr.domain: 43521+ A? bromgr.....cornell.edu. (47) 12:10:01.973025 IP 10.x.x.52.41650 > my.qry.DNS.svr.domain: 885+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.973971 IP 10.x.x.49.43534 > my.qry.DNS.svr.domain: 55341+ A? bromgr.....cornell.edu. (47) 12:10:01.973986 IP 10.x.x.49.43534 > my.qry.DNS.svr.domain: 4958+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.974219 IP 10.x.x.52.40301 > my.qry.DNS.svr.domain: 45656+ A? bromgr.....cornell.edu. (47) 12:10:01.974237 IP 10.x.x.52.40301 > my.qry.DNS.svr.domain: 16711+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.974948 IP 10.x.x.49.32990 > my.qry.DNS.svr.domain: 53624+ A? bromgr.....cornell.edu. (47) 12:10:01.974968 IP 10.x.x.49.32990 > my.qry.DNS.svr.domain: 44189+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.975685 IP 10.x.x.49.55622 > my.qry.DNS.svr.domain: 34659+ A? bromgr.....cornell.edu. (47) 12:10:01.975698 IP 10.x.x.49.55622 > my.qry.DNS.svr.domain: 33331+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.975927 IP 10.x.x.52.32931 > my.qry.DNS.svr.domain: 19722+ A? bromgr.....cornell.edu. (47) 12:10:01.975949 IP 10.x.x.52.32931 > my.qry.DNS.svr.domain: 48632+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.977169 IP 10.x.x.52.46424 > my.qry.DNS.svr.domain: 44994+ A? bromgr.....cornell.edu. (47) 12:10:01.977196 IP 10.x.x.52.46424 > my.qry.DNS.svr.domain: 45387+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.977899 IP 10.x.x.52.51834 > my.qry.DNS.svr.domain: 27563+ A? bromgr.....cornell.edu. (47) 12:10:01.977918 IP 10.x.x.52.51834 > my.qry.DNS.svr.domain: 10515+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.978890 IP 10.x.x.40.48188 > my.qry.DNS.svr.domain: 50374+ A? bro02.....cornell.edu. (46) 12:10:01.978907 IP 10.x.x.40.48188 > my.qry.DNS.svr.domain: 61561+ AAAA? bro02.....cornell.edu. (46) 12:10:01.980614 IP 10.x.x.40.49909 > my.qry.DNS.svr.domain: 45620+ A? bro02.....cornell.edu. (46) 12:10:01.980635 IP 10.x.x.40.49909 > my.qry.DNS.svr.domain: 60245+ AAAA? bro02.....cornell.edu. (46) 12:10:01.982317 IP 10.x.x.52.54377 > my.qry.DNS.svr.domain: 9026+ A? bromgr.....cornell.edu. (47) 12:10:01.982334 IP 10.x.x.52.54377 > my.qry.DNS.svr.domain: 6525+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.983303 IP 10.x.x.52.32869 > my.qry.DNS.svr.domain: 21743+ A? bromgr.....cornell.edu. (47) 12:10:01.983321 IP 10.x.x.52.32869 > my.qry.DNS.svr.domain: 5996+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.984056 IP 10.x.x.49.55998 > my.qry.DNS.svr.domain: 8501+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.984542 IP 10.x.x.52.40133 > my.qry.DNS.svr.domain: 46608+ A? bromgr.....cornell.edu. (47) 12:10:01.984554 IP 10.x.x.52.40133 > my.qry.DNS.svr.domain: 16831+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.985514 IP 10.x.x.49.39127 > my.qry.DNS.svr.domain: 8682+ A? bromgr.....cornell.edu. (47) 12:10:01.985529 IP 10.x.x.49.53899 > my.qry.DNS.svr.domain: 53399+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:01.985529 IP 10.x.x.52.44981 > my.qry.DNS.svr.domain: 13566+ A? bromgr.....cornell.edu. (47) 12:10:01.985545 IP 10.x.x.52.44981 > my.qry.DNS.svr.domain: 20294+ AAAA? bromgr.....cornell.edu. (47) 12:10:01.986256 IP 10.x.x.49.48605 > my.qry.DNS.svr.domain: 31920+ A? bromgr.....cornell.edu. (47) 12:10:02.030747 IP 10.x.x.49.45645 > my.qry.DNS.svr.domain: 59418+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.031523 IP 10.x.x.49.52096 > my.qry.DNS.svr.domain: 50875+ A? bromgr.....cornell.edu. (47) 12:10:02.031720 IP 10.x.x.49.56471 > my.qry.DNS.svr.domain: 64479+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.032750 IP 10.x.x.49.49572 > my.qry.DNS.svr.domain: 15277+ A? bromgr.....cornell.edu. (47) 12:10:02.032775 IP 10.x.x.40.51637 > my.qry.DNS.svr.domain: 35012+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.033696 IP 10.x.x.40.54405 > my.qry.DNS.svr.domain: 51593+ A? bro02.....cornell.edu. (46) 12:10:02.033719 IP 10.x.x.40.32950 > my.qry.DNS.svr.domain: 45171+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.034469 IP 10.x.x.40.47674 > my.qry.DNS.svr.domain: 22580+ A? bro02.....cornell.edu. (46) 12:10:02.034922 IP 10.x.x.40.55857 > my.qry.DNS.svr.domain: 11749+ A? bro02.....cornell.edu. (46) 12:10:02.034938 IP 10.x.x.40.55857 > my.qry.DNS.svr.domain: 25929+ AAAA? bro02.....cornell.edu. (46) 12:10:02.035655 IP 10.x.x.40.44292 > my.qry.DNS.svr.domain: 61549+ A? bro02.....cornell.edu. (46) 12:10:02.035670 IP 10.x.x.40.44292 > my.qry.DNS.svr.domain: 60591+ AAAA? bro02.....cornell.edu. (46) 12:10:02.035899 IP 10.x.x.40.42465 > my.qry.DNS.svr.domain: 9722+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.036433 IP 10.x.x.40.35670 > my.qry.DNS.svr.domain: 45235+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.037392 IP 10.x.x.40.47544 > my.qry.DNS.svr.domain: 30103+ A? bro02.....cornell.edu. (46) 12:10:02.037413 IP 10.x.x.40.47544 > my.qry.DNS.svr.domain: 34109+ AAAA? bro02.....cornell.edu. (46) 12:10:02.037632 IP 10.x.x.40.53625 > my.qry.DNS.svr.domain: 21560+ A? bro02.....cornell.edu. (46) 12:10:02.037653 IP 10.x.x.40.53625 > my.qry.DNS.svr.domain: 5317+ AAAA? bro02.....cornell.edu. (46) 12:10:02.038112 IP 10.x.x.40.49177 > my.qry.DNS.svr.domain: 43392+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.038597 IP 10.x.x.40.32985 > my.qry.DNS.svr.domain: 49352+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.039363 IP 10.x.x.40.52647 > my.qry.DNS.svr.domain: 61715+ A? bro02.....cornell.edu. (46) 12:10:02.039389 IP 10.x.x.40.52647 > my.qry.DNS.svr.domain: 15794+ AAAA? bro02.....cornell.edu. (46) 12:10:02.039838 IP 10.x.x.40.54576 > my.qry.DNS.svr.domain: 43118+ A? bro02.....cornell.edu. (46) 12:10:02.039853 IP 10.x.x.40.54576 > my.qry.DNS.svr.domain: 7200+ AAAA? bro02.....cornell.edu. (46) 12:10:02.040100 IP 10.x.x.40.32959 > my.qry.DNS.svr.domain: 53690+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.040590 IP 10.x.x.40.59281 > my.qry.DNS.svr.domain: 44203+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.041347 IP 10.x.x.40.36376 > my.qry.DNS.svr.domain: 6487+ A? bro02.....cornell.edu. (46) 12:10:02.041372 IP 10.x.x.40.36376 > my.qry.DNS.svr.domain: 8702+ AAAA? bro02.....cornell.edu. (46) 12:10:02.042075 IP 10.x.x.40.34392 > my.qry.DNS.svr.domain: 4379+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.042097 IP 10.x.x.40.57606 > my.qry.DNS.svr.domain: 22768+ A? bro02.....cornell.edu. (46) 12:10:02.042105 IP 10.x.x.40.57606 > my.qry.DNS.svr.domain: 19517+ AAAA? bro02.....cornell.edu. (46) 12:10:02.042793 IP 10.x.x.40.52885 > my.qry.DNS.svr.domain: 28726+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.048201 IP 10.x.x.49.48411 > my.qry.DNS.svr.domain: 13159+ A? bromgr.....cornell.edu. (47) 12:10:02.048223 IP 10.x.x.49.48411 > my.qry.DNS.svr.domain: 28198+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.048433 IP 10.x.x.49.49466 > my.qry.DNS.svr.domain: 30554+ A? bromgr.....cornell.edu. (47) 12:10:02.048448 IP 10.x.x.49.49466 > my.qry.DNS.svr.domain: 19728+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.049903 IP 10.x.x.49.58799 > my.qry.DNS.svr.domain: 25428+ A? bromgr.....cornell.edu. (47) 12:10:02.049923 IP 10.x.x.49.58799 > my.qry.DNS.svr.domain: 45216+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.050151 IP 10.x.x.49.43340 > my.qry.DNS.svr.domain: 15964+ A? bromgr.....cornell.edu. (47) 12:10:02.050166 IP 10.x.x.49.43340 > my.qry.DNS.svr.domain: 23194+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.050897 IP 10.x.x.49.53687 > my.qry.DNS.svr.domain: 52263+ A? bromgr.....cornell.edu. (47) 12:10:02.050909 IP 10.x.x.49.53687 > my.qry.DNS.svr.domain: 51640+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.051136 IP 10.x.x.49.35734 > my.qry.DNS.svr.domain: 23597+ A? bromgr.....cornell.edu. (47) 12:10:02.051158 IP 10.x.x.49.35734 > my.qry.DNS.svr.domain: 57799+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.052870 IP 10.x.x.49.54794 > my.qry.DNS.svr.domain: 54724+ A? bromgr.....cornell.edu. (47) 12:10:02.052888 IP 10.x.x.49.54794 > my.qry.DNS.svr.domain: 20959+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.052894 IP 10.x.x.49.55694 > my.qry.DNS.svr.domain: 10489+ A? bromgr.....cornell.edu. (47) 12:10:02.052899 IP 10.x.x.49.55694 > my.qry.DNS.svr.domain: 49743+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.054112 IP 10.x.x.49.44183 > my.qry.DNS.svr.domain: 15717+ A? bromgr.....cornell.edu. (47) 12:10:02.054131 IP 10.x.x.49.42956 > my.qry.DNS.svr.domain: 32895+ A? bromgr.....cornell.edu. (47) 12:10:02.054138 IP 10.x.x.49.42956 > my.qry.DNS.svr.domain: 48977+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.054146 IP 10.x.x.49.44183 > my.qry.DNS.svr.domain: 20237+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.054835 IP 10.x.x.49.44684 > my.qry.DNS.svr.domain: 9651+ A? bromgr.....cornell.edu. (47) 12:10:02.054853 IP 10.x.x.49.44684 > my.qry.DNS.svr.domain: 2403+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.055123 IP 10.x.x.49.51054 > my.qry.DNS.svr.domain: 35477+ A? bromgr.....cornell.edu. (47) 12:10:02.055135 IP 10.x.x.49.51054 > my.qry.DNS.svr.domain: 3809+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.058278 IP 10.x.x.49.58488 > my.qry.DNS.svr.domain: 36516+ A? bromgr.....cornell.edu. (47) 12:10:02.058294 IP 10.x.x.49.58488 > my.qry.DNS.svr.domain: 17008+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.059250 IP 10.x.x.49.38854 > my.qry.DNS.svr.domain: 58026+ A? bromgr.....cornell.edu. (47) 12:10:02.059270 IP 10.x.x.49.38854 > my.qry.DNS.svr.domain: 45551+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.060475 IP 10.x.x.49.54217 > my.qry.DNS.svr.domain: 64134+ A? bromgr.....cornell.edu. (47) 12:10:02.060494 IP 10.x.x.49.54217 > my.qry.DNS.svr.domain: 808+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.061219 IP 10.x.x.49.54845 > my.qry.DNS.svr.domain: 47732+ A? bromgr.....cornell.edu. (47) 12:10:02.061242 IP 10.x.x.49.54845 > my.qry.DNS.svr.domain: 30408+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.064194 IP 10.x.x.40.59227 > my.qry.DNS.svr.domain: 56576+ A? bro02.....cornell.edu. (46) 12:10:02.064212 IP 10.x.x.40.59227 > my.qry.DNS.svr.domain: 62700+ AAAA? bro02.....cornell.edu. (46) 12:10:02.065649 IP 10.x.x.40.51348 > my.qry.DNS.svr.domain: 38093+ A? bro02.....cornell.edu. (46) 12:10:02.065670 IP 10.x.x.40.51348 > my.qry.DNS.svr.domain: 51588+ AAAA? bro02.....cornell.edu. (46) 12:10:02.069348 IP 10.x.x.49.37815 > my.qry.DNS.svr.domain: 16529+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.070296 IP 10.x.x.49.42056 > my.qry.DNS.svr.domain: 44006+ A? bromgr.....cornell.edu. (47) 12:10:02.070551 IP 10.x.x.49.34062 > my.qry.DNS.svr.domain: 8259+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.071285 IP 10.x.x.49.50245 > my.qry.DNS.svr.domain: 37863+ A? bromgr.....cornell.edu. (47) 12:10:02.110615 IP 10.x.x.40.40447 > my.qry.DNS.svr.domain: 18771+ A? honeycrisp.....cornell.edu. (51) 12:10:02.110634 IP 10.x.x.40.40447 > my.qry.DNS.svr.domain: 30098+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.115769 IP 10.x.x.49.44926 > my.qry.DNS.svr.domain: 58498+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.116757 IP 10.x.x.49.50367 > my.qry.DNS.svr.domain: 20034+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.116778 IP 10.x.x.49.39582 > my.qry.DNS.svr.domain: 59669+ A? bromgr.....cornell.edu. (47) 12:10:02.117739 IP 10.x.x.49.56746 > my.qry.DNS.svr.domain: 22129+ A? bromgr.....cornell.edu. (47) 12:10:02.118240 IP 10.x.x.40.56375 > my.qry.DNS.svr.domain: 18395+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.118728 IP 10.x.x.40.35867 > my.qry.DNS.svr.domain: 45366+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.118973 IP 10.x.x.40.37164 > my.qry.DNS.svr.domain: 40716+ A? bro02.....cornell.edu. (46) 12:10:02.119480 IP 10.x.x.40.47723 > my.qry.DNS.svr.domain: 16779+ A? bro02.....cornell.edu. (46) 12:10:02.119961 IP 10.x.x.40.34373 > my.qry.DNS.svr.domain: 5069+ A? bro02.....cornell.edu. (46) 12:10:02.119974 IP 10.x.x.40.34373 > my.qry.DNS.svr.domain: 17302+ AAAA? bro02.....cornell.edu. (46) 12:10:02.120452 IP 10.x.x.40.38729 > my.qry.DNS.svr.domain: 56763+ A? bro02.....cornell.edu. (46) 12:10:02.120472 IP 10.x.x.40.38729 > my.qry.DNS.svr.domain: 50676+ AAAA? bro02.....cornell.edu. (46) 12:10:02.121183 IP 10.x.x.40.43699 > my.qry.DNS.svr.domain: 58751+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.121198 IP 10.x.x.40.59237 > my.qry.DNS.svr.domain: 62285+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.122428 IP 10.x.x.40.36650 > my.qry.DNS.svr.domain: 11829+ A? bro02.....cornell.edu. (46) 12:10:02.122445 IP 10.x.x.40.36650 > my.qry.DNS.svr.domain: 14631+ AAAA? bro02.....cornell.edu. (46) 12:10:02.122657 IP 10.x.x.40.46116 > my.qry.DNS.svr.domain: 27870+ A? bro02.....cornell.edu. (46) 12:10:02.122669 IP 10.x.x.40.46116 > my.qry.DNS.svr.domain: 30533+ AAAA? bro02.....cornell.edu. (46) 12:10:02.123161 IP 10.x.x.40.37790 > my.qry.DNS.svr.domain: 43547+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.123395 IP 10.x.x.40.38761 > my.qry.DNS.svr.domain: 6338+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.124133 IP 10.x.x.40.43281 > my.qry.DNS.svr.domain: 9047+ A? bro02.....cornell.edu. (46) 12:10:02.124147 IP 10.x.x.40.43281 > my.qry.DNS.svr.domain: 22686+ AAAA? bro02.....cornell.edu. (46) 12:10:02.124385 IP 10.x.x.40.49903 > my.qry.DNS.svr.domain: 56738+ A? bro02.....cornell.edu. (46) 12:10:02.124402 IP 10.x.x.40.49903 > my.qry.DNS.svr.domain: 40588+ AAAA? bro02.....cornell.edu. (46) 12:10:02.125118 IP 10.x.x.40.60262 > my.qry.DNS.svr.domain: 4000+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.125135 IP 10.x.x.40.49368 > my.qry.DNS.svr.domain: 39191+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.126107 IP 10.x.x.40.52013 > my.qry.DNS.svr.domain: 16417+ A? bro02.....cornell.edu. (46) 12:10:02.126120 IP 10.x.x.40.52013 > my.qry.DNS.svr.domain: 62890+ AAAA? bro02.....cornell.edu. (46) 12:10:02.126352 IP 10.x.x.40.44471 > my.qry.DNS.svr.domain: 49682+ A? bro02.....cornell.edu. (46) 12:10:02.126367 IP 10.x.x.40.44471 > my.qry.DNS.svr.domain: 13078+ AAAA? bro02.....cornell.edu. (46) 12:10:02.127097 IP 10.x.x.40.57183 > my.qry.DNS.svr.domain: 14850+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.127126 IP 10.x.x.40.44597 > my.qry.DNS.svr.domain: 6376+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.131255 IP 10.x.x.49.41515 > my.qry.DNS.svr.domain: 12483+ A? bromgr.....cornell.edu. (47) 12:10:02.131272 IP 10.x.x.49.41515 > my.qry.DNS.svr.domain: 41002+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.131744 IP 10.x.x.49.32926 > my.qry.DNS.svr.domain: 33439+ A? bromgr.....cornell.edu. (47) 12:10:02.131759 IP 10.x.x.49.32926 > my.qry.DNS.svr.domain: 6707+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.132971 IP 10.x.x.49.42227 > my.qry.DNS.svr.domain: 6145+ A? bromgr.....cornell.edu. (47) 12:10:02.132985 IP 10.x.x.49.42227 > my.qry.DNS.svr.domain: 5600+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.133217 IP 10.x.x.49.59593 > my.qry.DNS.svr.domain: 24384+ A? bromgr.....cornell.edu. (47) 12:10:02.133230 IP 10.x.x.49.59593 > my.qry.DNS.svr.domain: 24919+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.134206 IP 10.x.x.49.57884 > my.qry.DNS.svr.domain: 51441+ A? bromgr.....cornell.edu. (47) 12:10:02.134223 IP 10.x.x.49.37177 > my.qry.DNS.svr.domain: 10547+ A? bromgr.....cornell.edu. (47) 12:10:02.134231 IP 10.x.x.49.57884 > my.qry.DNS.svr.domain: 34317+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.134239 IP 10.x.x.49.37177 > my.qry.DNS.svr.domain: 64533+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.135930 IP 10.x.x.49.48065 > my.qry.DNS.svr.domain: 55396+ A? bromgr.....cornell.edu. (47) 12:10:02.135947 IP 10.x.x.49.40648 > my.qry.DNS.svr.domain: 39265+ A? bromgr.....cornell.edu. (47) 12:10:02.135955 IP 10.x.x.49.48065 > my.qry.DNS.svr.domain: 2012+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.135963 IP 10.x.x.49.40648 > my.qry.DNS.svr.domain: 65219+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.137155 IP 10.x.x.49.51855 > my.qry.DNS.svr.domain: 53018+ A? bromgr.....cornell.edu. (47) 12:10:02.137174 IP 10.x.x.49.59127 > my.qry.DNS.svr.domain: 50495+ A? bromgr.....cornell.edu. (47) 12:10:02.137183 IP 10.x.x.49.51855 > my.qry.DNS.svr.domain: 63529+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.137192 IP 10.x.x.49.59127 > my.qry.DNS.svr.domain: 56443+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.138145 IP 10.x.x.49.40885 > my.qry.DNS.svr.domain: 62426+ A? bromgr.....cornell.edu. (47) 12:10:02.138161 IP 10.x.x.49.59478 > my.qry.DNS.svr.domain: 38598+ A? bromgr.....cornell.edu. (47) 12:10:02.138170 IP 10.x.x.49.40885 > my.qry.DNS.svr.domain: 58691+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.138179 IP 10.x.x.49.59478 > my.qry.DNS.svr.domain: 64876+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.141335 IP 10.x.x.49.33911 > my.qry.DNS.svr.domain: 26485+ A? bromgr.....cornell.edu. (47) 12:10:02.141354 IP 10.x.x.49.33911 > my.qry.DNS.svr.domain: 51888+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.142089 IP 10.x.x.49.51924 > my.qry.DNS.svr.domain: 28380+ A? bromgr.....cornell.edu. (47) 12:10:02.142111 IP 10.x.x.49.51924 > my.qry.DNS.svr.domain: 23570+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.143062 IP 10.x.x.49.37588 > my.qry.DNS.svr.domain: 15881+ A? bromgr.....cornell.edu. (47) 12:10:02.143079 IP 10.x.x.49.37588 > my.qry.DNS.svr.domain: 58118+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.143808 IP 10.x.x.49.45413 > my.qry.DNS.svr.domain: 43189+ A? bromgr.....cornell.edu. (47) 12:10:02.143822 IP 10.x.x.49.45413 > my.qry.DNS.svr.domain: 56174+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.147022 IP 10.x.x.40.51055 > my.qry.DNS.svr.domain: 4315+ A? bro02.....cornell.edu. (46) 12:10:02.147037 IP 10.x.x.40.51055 > my.qry.DNS.svr.domain: 25249+ AAAA? bro02.....cornell.edu. (46) 12:10:02.148217 IP 10.x.x.40.44915 > my.qry.DNS.svr.domain: 34764+ A? bro02.....cornell.edu. (46) 12:10:02.148235 IP 10.x.x.40.44915 > my.qry.DNS.svr.domain: 1923+ AAAA? bro02.....cornell.edu. (46) 12:10:02.152152 IP 10.x.x.49.51271 > my.qry.DNS.svr.domain: 31027+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.153146 IP 10.x.x.49.43555 > my.qry.DNS.svr.domain: 57204+ A? bromgr.....cornell.edu. (47) 12:10:02.153167 IP 10.x.x.49.34025 > my.qry.DNS.svr.domain: 55306+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.154351 IP 10.x.x.49.32939 > my.qry.DNS.svr.domain: 47640+ A? bromgr.....cornell.edu. (47) 12:10:02.198842 IP 10.x.x.49.52688 > my.qry.DNS.svr.domain: 53099+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.199586 IP 10.x.x.49.51503 > my.qry.DNS.svr.domain: 57630+ A? bromgr.....cornell.edu. (47) 12:10:02.199600 IP 10.x.x.49.53216 > my.qry.DNS.svr.domain: 48229+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.200309 IP 10.x.x.49.59789 > my.qry.DNS.svr.domain: 19949+ A? bromgr.....cornell.edu. (47) 12:10:02.201076 IP 10.x.x.40.36774 > my.qry.DNS.svr.domain: 21078+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.201541 IP 10.x.x.40.36707 > my.qry.DNS.svr.domain: 51088+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.201807 IP 10.x.x.40.36965 > my.qry.DNS.svr.domain: 51647+ A? bro02.....cornell.edu. (46) 12:10:02.202294 IP 10.x.x.40.58109 > my.qry.DNS.svr.domain: 34762+ A? bro02.....cornell.edu. (46) 12:10:02.202776 IP 10.x.x.40.37872 > my.qry.DNS.svr.domain: 10510+ A? bro02.....cornell.edu. (46) 12:10:02.202791 IP 10.x.x.40.37872 > my.qry.DNS.svr.domain: 37223+ AAAA? bro02.....cornell.edu. (46) 12:10:02.203288 IP 10.x.x.40.46330 > my.qry.DNS.svr.domain: 24574+ A? bro02.....cornell.edu. (46) 12:10:02.203306 IP 10.x.x.40.46330 > my.qry.DNS.svr.domain: 827+ AAAA? bro02.....cornell.edu. (46) 12:10:02.203514 IP 10.x.x.40.59958 > my.qry.DNS.svr.domain: 35298+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.204010 IP 10.x.x.40.58944 > my.qry.DNS.svr.domain: 62242+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.204746 IP 10.x.x.40.38146 > my.qry.DNS.svr.domain: 34201+ A? bro02.....cornell.edu. (46) 12:10:02.204765 IP 10.x.x.40.38146 > my.qry.DNS.svr.domain: 9561+ AAAA? bro02.....cornell.edu. (46) 12:10:02.205240 IP 10.x.x.40.36035 > my.qry.DNS.svr.domain: 6051+ A? bro02.....cornell.edu. (46) 12:10:02.205257 IP 10.x.x.40.36035 > my.qry.DNS.svr.domain: 41771+ AAAA? bro02.....cornell.edu. (46) 12:10:02.205496 IP 10.x.x.40.59414 > my.qry.DNS.svr.domain: 15776+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.206468 IP 10.x.x.40.47447 > my.qry.DNS.svr.domain: 25069+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.206733 IP 10.x.x.40.34719 > my.qry.DNS.svr.domain: 53525+ A? bro02.....cornell.edu. (46) 12:10:02.206746 IP 10.x.x.40.34719 > my.qry.DNS.svr.domain: 41366+ AAAA? bro02.....cornell.edu. (46) 12:10:02.207445 IP 10.x.x.40.57129 > my.qry.DNS.svr.domain: 43728+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.207938 IP 10.x.x.40.48582 > my.qry.DNS.svr.domain: 14953+ A? bro02.....cornell.edu. (46) 12:10:02.207953 IP 10.x.x.40.48582 > my.qry.DNS.svr.domain: 16368+ AAAA? bro02.....cornell.edu. (46) 12:10:02.208689 IP 10.x.x.40.56399 > my.qry.DNS.svr.domain: 47070+ A? bro02.....cornell.edu. (46) 12:10:02.208704 IP 10.x.x.40.56399 > my.qry.DNS.svr.domain: 10488+ AAAA? bro02.....cornell.edu. (46) 12:10:02.208929 IP 10.x.x.40.48913 > my.qry.DNS.svr.domain: 22594+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.209414 IP 10.x.x.40.46748 > my.qry.DNS.svr.domain: 39227+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.209912 IP 10.x.x.40.36560 > my.qry.DNS.svr.domain: 44413+ A? bro02.....cornell.edu. (46) 12:10:02.209930 IP 10.x.x.40.36560 > my.qry.DNS.svr.domain: 28354+ AAAA? bro02.....cornell.edu. (46) 12:10:02.211171 IP 10.x.x.40.44490 > my.qry.DNS.svr.domain: 64296+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.214336 IP 10.x.x.49.50132 > my.qry.DNS.svr.domain: 38714+ A? bromgr.....cornell.edu. (47) 12:10:02.214353 IP 10.x.x.49.50132 > my.qry.DNS.svr.domain: 9835+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.215806 IP 10.x.x.49.46108 > my.qry.DNS.svr.domain: 59636+ A? bromgr.....cornell.edu. (47) 12:10:02.215825 IP 10.x.x.49.46108 > my.qry.DNS.svr.domain: 4357+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.216056 IP 10.x.x.49.34381 > my.qry.DNS.svr.domain: 18814+ A? bromgr.....cornell.edu. (47) 12:10:02.216076 IP 10.x.x.49.34381 > my.qry.DNS.svr.domain: 43675+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.217294 IP 10.x.x.49.44435 > my.qry.DNS.svr.domain: 37647+ A? bromgr.....cornell.edu. (47) 12:10:02.217312 IP 10.x.x.49.44435 > my.qry.DNS.svr.domain: 22155+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.217538 IP 10.x.x.49.39367 > my.qry.DNS.svr.domain: 4212+ A? bromgr.....cornell.edu. (47) 12:10:02.217556 IP 10.x.x.49.39367 > my.qry.DNS.svr.domain: 24557+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.218523 IP 10.x.x.49.38632 > my.qry.DNS.svr.domain: 28740+ A? bromgr.....cornell.edu. (47) 12:10:02.218540 IP 10.x.x.49.38632 > my.qry.DNS.svr.domain: 11171+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.218994 IP 10.x.x.49.42272 > my.qry.DNS.svr.domain: 18826+ A? bromgr.....cornell.edu. (47) 12:10:02.219011 IP 10.x.x.49.42272 > my.qry.DNS.svr.domain: 36266+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.219987 IP 10.x.x.49.56005 > my.qry.DNS.svr.domain: 18018+ A? bromgr.....cornell.edu. (47) 12:10:02.220000 IP 10.x.x.49.56005 > my.qry.DNS.svr.domain: 64567+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.220471 IP 10.x.x.49.49473 > my.qry.DNS.svr.domain: 53252+ A? bromgr.....cornell.edu. (47) 12:10:02.220490 IP 10.x.x.49.49473 > my.qry.DNS.svr.domain: 57479+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.221216 IP 10.x.x.49.42619 > my.qry.DNS.svr.domain: 381+ A? bromgr.....cornell.edu. (47) 12:10:02.221234 IP 10.x.x.49.40811 > my.qry.DNS.svr.domain: 17465+ A? bromgr.....cornell.edu. (47) 12:10:02.221243 IP 10.x.x.49.42619 > my.qry.DNS.svr.domain: 39265+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.221252 IP 10.x.x.49.40811 > my.qry.DNS.svr.domain: 59124+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.222192 IP 10.x.x.49.58587 > my.qry.DNS.svr.domain: 21185+ A? bromgr.....cornell.edu. (47) 12:10:02.222206 IP 10.x.x.49.58587 > my.qry.DNS.svr.domain: 55082+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.225397 IP 10.x.x.49.40438 > my.qry.DNS.svr.domain: 22471+ A? bromgr.....cornell.edu. (47) 12:10:02.225414 IP 10.x.x.49.40438 > my.qry.DNS.svr.domain: 13934+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.226126 IP 10.x.x.49.55082 > my.qry.DNS.svr.domain: 44815+ A? bromgr.....cornell.edu. (47) 12:10:02.226142 IP 10.x.x.49.55082 > my.qry.DNS.svr.domain: 2488+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.227106 IP 10.x.x.49.48371 > my.qry.DNS.svr.domain: 65209+ A? bromgr.....cornell.edu. (47) 12:10:02.227119 IP 10.x.x.49.48371 > my.qry.DNS.svr.domain: 14278+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.227853 IP 10.x.x.49.40899 > my.qry.DNS.svr.domain: 27648+ A? bromgr.....cornell.edu. (47) 12:10:02.227867 IP 10.x.x.49.40899 > my.qry.DNS.svr.domain: 51012+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.228589 IP 10.x.x.40.48870 > my.qry.DNS.svr.domain: 51009+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.229554 IP 10.x.x.40.41619 > my.qry.DNS.svr.domain: 46014+ A? honeycrisp.....cornell.edu. (51) 12:10:02.230806 IP 10.x.x.40.46971 > my.qry.DNS.svr.domain: 14426+ A? honeycrisp.....cornell.edu. (51) 12:10:02.230819 IP 10.x.x.40.46971 > my.qry.DNS.svr.domain: 60672+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.231042 IP 10.x.x.40.37809 > my.qry.DNS.svr.domain: 25228+ A? bro02.....cornell.edu. (46) 12:10:02.231057 IP 10.x.x.40.37809 > my.qry.DNS.svr.domain: 19460+ AAAA? bro02.....cornell.edu. (46) 12:10:02.231776 IP 10.x.x.40.37175 > my.qry.DNS.svr.domain: 50703+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.232056 IP 10.x.x.40.38837 > my.qry.DNS.svr.domain: 23290+ A? bro02.....cornell.edu. (46) 12:10:02.232072 IP 10.x.x.40.38837 > my.qry.DNS.svr.domain: 59359+ AAAA? bro02.....cornell.edu. (46) 12:10:02.233005 IP 10.x.x.40.42526 > my.qry.DNS.svr.domain: 16265+ A? honeycrisp.....cornell.edu. (51) 12:10:02.233016 IP 10.x.x.40.42526 > my.qry.DNS.svr.domain: 39947+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.233751 IP 10.x.x.40.60260 > my.qry.DNS.svr.domain: 54650+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.235221 IP 10.x.x.40.43368 > my.qry.DNS.svr.domain: 576+ A? honeycrisp.....cornell.edu. (51) 12:10:02.235239 IP 10.x.x.40.43368 > my.qry.DNS.svr.domain: 2829+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.235958 IP 10.x.x.40.59694 > my.qry.DNS.svr.domain: 50993+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.236460 IP 10.x.x.49.55942 > my.qry.DNS.svr.domain: 3265+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.236946 IP 10.x.x.49.52581 > my.qry.DNS.svr.domain: 50337+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.236966 IP 10.x.x.40.60496 > my.qry.DNS.svr.domain: 54167+ A? honeycrisp.....cornell.edu. (51) 12:10:02.236972 IP 10.x.x.40.60496 > my.qry.DNS.svr.domain: 25349+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.237198 IP 10.x.x.49.36977 > my.qry.DNS.svr.domain: 59656+ A? bromgr.....cornell.edu. (47) 12:10:02.237682 IP 10.x.x.49.40651 > my.qry.DNS.svr.domain: 12634+ A? bromgr.....cornell.edu. (47) 12:10:02.237700 IP 10.x.x.40.42011 > my.qry.DNS.svr.domain: 17319+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.282646 IP 10.x.x.49.58332 > my.qry.DNS.svr.domain: 38694+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.282667 IP 10.x.x.49.48288 > my.qry.DNS.svr.domain: 37131+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.283384 IP 10.x.x.49.57522 > my.qry.DNS.svr.domain: 18116+ A? bromgr.....cornell.edu. (47) 12:10:02.283623 IP 10.x.x.49.54764 > my.qry.DNS.svr.domain: 16556+ A? bromgr.....cornell.edu. (47) 12:10:02.284621 IP 10.x.x.40.46288 > my.qry.DNS.svr.domain: 918+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.284640 IP 10.x.x.40.60504 > my.qry.DNS.svr.domain: 11939+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.285617 IP 10.x.x.40.46512 > my.qry.DNS.svr.domain: 30119+ A? bro02.....cornell.edu. (46) 12:10:02.285850 IP 10.x.x.40.55440 > my.qry.DNS.svr.domain: 33459+ A? bro02.....cornell.edu. (46) 12:10:02.286590 IP 10.x.x.40.49230 > my.qry.DNS.svr.domain: 51511+ A? bro02.....cornell.edu. (46) 12:10:02.286604 IP 10.x.x.40.49230 > my.qry.DNS.svr.domain: 16852+ AAAA? bro02.....cornell.edu. (46) 12:10:02.286850 IP 10.x.x.40.44774 > my.qry.DNS.svr.domain: 5758+ A? bro02.....cornell.edu. (46) 12:10:02.286864 IP 10.x.x.40.44774 > my.qry.DNS.svr.domain: 40528+ AAAA? bro02.....cornell.edu. (46) 12:10:02.287568 IP 10.x.x.40.56713 > my.qry.DNS.svr.domain: 33466+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.287827 IP 10.x.x.40.filenet-obrok > my.qry.DNS.svr.domain: 59220+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.288800 IP 10.x.x.40.50323 > my.qry.DNS.svr.domain: 35563+ A? bro02.....cornell.edu. (46) 12:10:02.288815 IP 10.x.x.40.50323 > my.qry.DNS.svr.domain: 44583+ AAAA? bro02.....cornell.edu. (46) 12:10:02.289054 IP 10.x.x.40.53001 > my.qry.DNS.svr.domain: 22347+ A? bro02.....cornell.edu. (46) 12:10:02.289070 IP 10.x.x.40.53001 > my.qry.DNS.svr.domain: 41803+ AAAA? bro02.....cornell.edu. (46) 12:10:02.289533 IP 10.x.x.40.59938 > my.qry.DNS.svr.domain: 64234+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.289785 IP 10.x.x.40.58338 > my.qry.DNS.svr.domain: 9181+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.291015 IP 10.x.x.40.44272 > my.qry.DNS.svr.domain: 27801+ A? bro02.....cornell.edu. (46) 12:10:02.291031 IP 10.x.x.40.44272 > my.qry.DNS.svr.domain: 14690+ AAAA? bro02.....cornell.edu. (46) 12:10:02.291037 IP 10.x.x.40.57309 > my.qry.DNS.svr.domain: 10647+ A? bro02.....cornell.edu. (46) 12:10:02.291042 IP 10.x.x.40.57309 > my.qry.DNS.svr.domain: 34894+ AAAA? bro02.....cornell.edu. (46) 12:10:02.291752 IP 10.x.x.40.56927 > my.qry.DNS.svr.domain: 53436+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.291982 IP 10.x.x.40.37554 > my.qry.DNS.svr.domain: 47970+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.292738 IP 10.x.x.40.42179 > my.qry.DNS.svr.domain: 38715+ A? bro02.....cornell.edu. (46) 12:10:02.292755 IP 10.x.x.40.42179 > my.qry.DNS.svr.domain: 65221+ AAAA? bro02.....cornell.edu. (46) 12:10:02.293230 IP 10.x.x.40.46300 > my.qry.DNS.svr.domain: 42684+ A? bro02.....cornell.edu. (46) 12:10:02.293250 IP 10.x.x.40.46300 > my.qry.DNS.svr.domain: 31006+ AAAA? bro02.....cornell.edu. (46) 12:10:02.293460 IP 10.x.x.40.39168 > my.qry.DNS.svr.domain: 35116+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.293947 IP 10.x.x.40.52774 > my.qry.DNS.svr.domain: 64733+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.299111 IP 10.x.x.49.40107 > my.qry.DNS.svr.domain: 1341+ A? bromgr.....cornell.edu. (47) 12:10:02.299131 IP 10.x.x.49.40107 > my.qry.DNS.svr.domain: 28619+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.299355 IP 10.x.x.49.56993 > my.qry.DNS.svr.domain: 59708+ A? bromgr.....cornell.edu. (47) 12:10:02.299370 IP 10.x.x.49.56993 > my.qry.DNS.svr.domain: 58071+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.301079 IP 10.x.x.49.48332 > my.qry.DNS.svr.domain: 23304+ A? bromgr.....cornell.edu. (47) 12:10:02.301095 IP 10.x.x.49.37212 > my.qry.DNS.svr.domain: 65197+ A? bromgr.....cornell.edu. (47) 12:10:02.301101 IP 10.x.x.49.48332 > my.qry.DNS.svr.domain: 35650+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.301109 IP 10.x.x.49.37212 > my.qry.DNS.svr.domain: 921+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.302323 IP 10.x.x.49.49176 > my.qry.DNS.svr.domain: 15326+ A? bromgr.....cornell.edu. (47) 12:10:02.302338 IP 10.x.x.49.49176 > my.qry.DNS.svr.domain: 37677+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.302551 IP 10.x.x.49.46281 > my.qry.DNS.svr.domain: 40972+ A? bromgr.....cornell.edu. (47) 12:10:02.302567 IP 10.x.x.49.46281 > my.qry.DNS.svr.domain: 36071+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.303791 IP 10.x.x.49.55171 > my.qry.DNS.svr.domain: 7879+ A? bromgr.....cornell.edu. (47) 12:10:02.303812 IP 10.x.x.49.55171 > my.qry.DNS.svr.domain: 54649+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.304291 IP 10.x.x.49.50602 > my.qry.DNS.svr.domain: 44577+ A? bromgr.....cornell.edu. (47) 12:10:02.304308 IP 10.x.x.49.50602 > my.qry.DNS.svr.domain: 37232+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.305051 IP 10.x.x.49.44624 > my.qry.DNS.svr.domain: 15276+ A? bromgr.....cornell.edu. (47) 12:10:02.305071 IP 10.x.x.49.44624 > my.qry.DNS.svr.domain: 12083+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.305992 IP 10.x.x.49.49254 > my.qry.DNS.svr.domain: 21135+ A? bromgr.....cornell.edu. (47) 12:10:02.306013 IP 10.x.x.49.37274 > my.qry.DNS.svr.domain: 61057+ A? bromgr.....cornell.edu. (47) 12:10:02.306019 IP 10.x.x.49.49254 > my.qry.DNS.svr.domain: 20467+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.306024 IP 10.x.x.49.37274 > my.qry.DNS.svr.domain: 64038+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.306987 IP 10.x.x.49.48218 > my.qry.DNS.svr.domain: 60135+ A? bromgr.....cornell.edu. (47) 12:10:02.307013 IP 10.x.x.49.48218 > my.qry.DNS.svr.domain: 39599+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.309681 IP 10.x.x.49.38060 > my.qry.DNS.svr.domain: 51871+ A? bromgr.....cornell.edu. (47) 12:10:02.309702 IP 10.x.x.49.38060 > my.qry.DNS.svr.domain: 54423+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.310670 IP 10.x.x.49.34990 > my.qry.DNS.svr.domain: 42203+ A? bromgr.....cornell.edu. (47) 12:10:02.310688 IP 10.x.x.49.34990 > my.qry.DNS.svr.domain: 47913+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.311650 IP 10.x.x.49.44706 > my.qry.DNS.svr.domain: 31305+ A? bromgr.....cornell.edu. (47) 12:10:02.311667 IP 10.x.x.49.44706 > my.qry.DNS.svr.domain: 9843+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.312629 IP 10.x.x.49.55530 > my.qry.DNS.svr.domain: 8323+ A? bromgr.....cornell.edu. (47) 12:10:02.312645 IP 10.x.x.49.55530 > my.qry.DNS.svr.domain: 60569+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.316812 IP 10.x.x.40.34538 > my.qry.DNS.svr.domain: 50229+ A? bro02.....cornell.edu. (46) 12:10:02.316827 IP 10.x.x.40.34538 > my.qry.DNS.svr.domain: 54615+ AAAA? bro02.....cornell.edu. (46) 12:10:02.317324 IP 10.x.x.40.51918 > my.qry.DNS.svr.domain: 46119+ A? bro02.....cornell.edu. (46) 12:10:02.317340 IP 10.x.x.40.51918 > my.qry.DNS.svr.domain: 37447+ AAAA? bro02.....cornell.edu. (46) 12:10:02.319021 IP 10.x.x.40.37294 > my.qry.DNS.svr.domain: 40156+ A? honeycrisp.....cornell.edu. (51) 12:10:02.319036 IP 10.x.x.40.37294 > my.qry.DNS.svr.domain: 20387+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.322236 IP 10.x.x.49.39182 > my.qry.DNS.svr.domain: 59408+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.322256 IP 10.x.x.49.57893 > my.qry.DNS.svr.domain: 1778+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.323190 IP 10.x.x.49.50013 > my.qry.DNS.svr.domain: 21970+ A? bromgr.....cornell.edu. (47) 12:10:02.323202 IP 10.x.x.49.54140 > my.qry.DNS.svr.domain: 1516+ A? bromgr.....cornell.edu. (47) 12:10:02.368680 IP 10.x.x.49.40997 > my.qry.DNS.svr.domain: 41250+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.368701 IP 10.x.x.49.54969 > my.qry.DNS.svr.domain: 39024+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.369405 IP 10.x.x.49.53982 > my.qry.DNS.svr.domain: 40173+ A? bromgr.....cornell.edu. (47) 12:10:02.369649 IP 10.x.x.49.50444 > my.qry.DNS.svr.domain: 42453+ A? bromgr.....cornell.edu. (47) 12:10:02.370386 IP 10.x.x.40.41599 > my.qry.DNS.svr.domain: 10678+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.370879 IP 10.x.x.40.44938 > my.qry.DNS.svr.domain: 46821+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.371139 IP 10.x.x.40.42152 > my.qry.DNS.svr.domain: 53889+ A? bro02.....cornell.edu. (46) 12:10:02.371620 IP 10.x.x.40.44612 > my.qry.DNS.svr.domain: 42999+ A? bro02.....cornell.edu. (46) 12:10:02.372114 IP 10.x.x.40.54246 > my.qry.DNS.svr.domain: 48124+ A? bro02.....cornell.edu. (46) 12:10:02.372129 IP 10.x.x.40.54246 > my.qry.DNS.svr.domain: 18560+ AAAA? bro02.....cornell.edu. (46) 12:10:02.372858 IP 10.x.x.40.40906 > my.qry.DNS.svr.domain: 42351+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.372873 IP 10.x.x.40.56010 > my.qry.DNS.svr.domain: 30732+ A? bro02.....cornell.edu. (46) 12:10:02.372879 IP 10.x.x.40.56010 > my.qry.DNS.svr.domain: 43307+ AAAA? bro02.....cornell.edu. (46) 12:10:02.373842 IP 10.x.x.40.41339 > my.qry.DNS.svr.domain: 55002+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.374077 IP 10.x.x.40.33776 > my.qry.DNS.svr.domain: 5779+ A? bro02.....cornell.edu. (46) 12:10:02.374092 IP 10.x.x.40.33776 > my.qry.DNS.svr.domain: 65472+ AAAA? bro02.....cornell.edu. (46) 12:10:02.374814 IP 10.x.x.40.51334 > my.qry.DNS.svr.domain: 25696+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.375091 IP 10.x.x.40.39095 > my.qry.DNS.svr.domain: 53163+ A? bro02.....cornell.edu. (46) 12:10:02.375106 IP 10.x.x.40.39095 > my.qry.DNS.svr.domain: 58500+ AAAA? bro02.....cornell.edu. (46) 12:10:02.375789 IP 10.x.x.40.58576 > my.qry.DNS.svr.domain: 10749+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.376053 IP 10.x.x.40.53438 > my.qry.DNS.svr.domain: 60876+ A? bro02.....cornell.edu. (46) 12:10:02.376068 IP 10.x.x.40.53438 > my.qry.DNS.svr.domain: 10817+ AAAA? bro02.....cornell.edu. (46) 12:10:02.376789 IP 10.x.x.40.49332 > my.qry.DNS.svr.domain: 53125+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.377123 IP 10.x.x.40.45362 > my.qry.DNS.svr.domain: 18031+ A? bro02.....cornell.edu. (46) 12:10:02.377134 IP 10.x.x.40.45362 > my.qry.DNS.svr.domain: 57320+ AAAA? bro02.....cornell.edu. (46) 12:10:02.377754 IP 10.x.x.40.33468 > my.qry.DNS.svr.domain: 11500+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.378270 IP 10.x.x.40.41793 > my.qry.DNS.svr.domain: 24626+ A? bro02.....cornell.edu. (46) 12:10:02.378285 IP 10.x.x.40.41793 > my.qry.DNS.svr.domain: 34280+ AAAA? bro02.....cornell.edu. (46) 12:10:02.378765 IP 10.x.x.40.37372 > my.qry.DNS.svr.domain: 42381+ A? bro02.....cornell.edu. (46) 12:10:02.378783 IP 10.x.x.40.37372 > my.qry.DNS.svr.domain: 567+ AAAA? bro02.....cornell.edu. (46) 12:10:02.378992 IP 10.x.x.40.36909 > my.qry.DNS.svr.domain: 653+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.379726 IP 10.x.x.40.41709 > my.qry.DNS.svr.domain: 42931+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.384894 IP 10.x.x.49.34988 > my.qry.DNS.svr.domain: 50135+ A? bromgr.....cornell.edu. (47) 12:10:02.384908 IP 10.x.x.49.34988 > my.qry.DNS.svr.domain: 17875+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.385616 IP 10.x.x.49.48415 > my.qry.DNS.svr.domain: 28550+ A? bromgr.....cornell.edu. (47) 12:10:02.385634 IP 10.x.x.49.48415 > my.qry.DNS.svr.domain: 30274+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.386617 IP 10.x.x.49.56243 > my.qry.DNS.svr.domain: 37037+ A? bromgr.....cornell.edu. (47) 12:10:02.386637 IP 10.x.x.49.56243 > my.qry.DNS.svr.domain: 29328+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.387119 IP 10.x.x.49.33119 > my.qry.DNS.svr.domain: 3900+ A? bromgr.....cornell.edu. (47) 12:10:02.387138 IP 10.x.x.49.33119 > my.qry.DNS.svr.domain: 20285+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.387583 IP 10.x.x.49.39623 > my.qry.DNS.svr.domain: 34505+ A? bromgr.....cornell.edu. (47) 12:10:02.387602 IP 10.x.x.49.39623 > my.qry.DNS.svr.domain: 45579+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.388093 IP 10.x.x.49.35754 > my.qry.DNS.svr.domain: 40813+ A? bromgr.....cornell.edu. (47) 12:10:02.388111 IP 10.x.x.49.35754 > my.qry.DNS.svr.domain: 34470+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.389071 IP 10.x.x.49.33055 > my.qry.DNS.svr.domain: 31412+ A? bromgr.....cornell.edu. (47) 12:10:02.389091 IP 10.x.x.49.33055 > my.qry.DNS.svr.domain: 55155+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.389580 IP 10.x.x.49.42196 > my.qry.DNS.svr.domain: 44617+ A? bromgr.....cornell.edu. (47) 12:10:02.389600 IP 10.x.x.49.42196 > my.qry.DNS.svr.domain: 21251+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.390311 IP 10.x.x.49.55959 > my.qry.DNS.svr.domain: 6574+ A? bromgr.....cornell.edu. (47) 12:10:02.390330 IP 10.x.x.49.55959 > my.qry.DNS.svr.domain: 52312+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.390794 IP 10.x.x.49.50347 > my.qry.DNS.svr.domain: 2154+ A? bromgr.....cornell.edu. (47) 12:10:02.390811 IP 10.x.x.49.50347 > my.qry.DNS.svr.domain: 8760+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.391272 IP 10.x.x.49.54079 > my.qry.DNS.svr.domain: 3316+ A? bromgr.....cornell.edu. (47) 12:10:02.391290 IP 10.x.x.49.54079 > my.qry.DNS.svr.domain: 14745+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.391762 IP 10.x.x.49.54873 > my.qry.DNS.svr.domain: 26383+ A? bromgr.....cornell.edu. (47) 12:10:02.391778 IP 10.x.x.49.54873 > my.qry.DNS.svr.domain: 30960+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.394954 IP 10.x.x.49.46837 > my.qry.DNS.svr.domain: 19966+ A? bromgr.....cornell.edu. (47) 12:10:02.394970 IP 10.x.x.49.46837 > my.qry.DNS.svr.domain: 48493+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.395940 IP 10.x.x.49.41755 > my.qry.DNS.svr.domain: 35780+ A? bromgr.....cornell.edu. (47) 12:10:02.395954 IP 10.x.x.49.41755 > my.qry.DNS.svr.domain: 42020+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.396954 IP 10.x.x.49.44566 > my.qry.DNS.svr.domain: 11796+ A? bromgr.....cornell.edu. (47) 12:10:02.396967 IP 10.x.x.49.44566 > my.qry.DNS.svr.domain: 4108+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.397662 IP 10.x.x.49.38441 > my.qry.DNS.svr.domain: 27607+ A? bromgr.....cornell.edu. (47) 12:10:02.397676 IP 10.x.x.49.38441 > my.qry.DNS.svr.domain: 50094+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.401117 IP 10.x.x.40.46054 > my.qry.DNS.svr.domain: 44935+ A? bro02.....cornell.edu. (46) 12:10:02.401136 IP 10.x.x.40.46054 > my.qry.DNS.svr.domain: 10490+ AAAA? bro02.....cornell.edu. (46) 12:10:02.403094 IP 10.x.x.40.45993 > my.qry.DNS.svr.domain: 48273+ A? bro02.....cornell.edu. (46) 12:10:02.403114 IP 10.x.x.40.45993 > my.qry.DNS.svr.domain: 10520+ AAAA? bro02.....cornell.edu. (46) 12:10:02.406758 IP 10.x.x.49.40163 > my.qry.DNS.svr.domain: 17770+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.407742 IP 10.x.x.49.56805 > my.qry.DNS.svr.domain: 15203+ A? bromgr.....cornell.edu. (47) 12:10:02.407764 IP 10.x.x.49.43382 > my.qry.DNS.svr.domain: 9221+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.408715 IP 10.x.x.49.32944 > my.qry.DNS.svr.domain: 51251+ A? bromgr.....cornell.edu. (47) 12:10:02.430622 IP 10.x.x.40.35739 > my.qry.DNS.svr.domain: 17759+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.431360 IP 10.x.x.40.35439 > my.qry.DNS.svr.domain: 4983+ A? honeycrisp.....cornell.edu. (51) 12:10:02.432330 IP 10.x.x.40.54598 > my.qry.DNS.svr.domain: 56681+ A? honeycrisp.....cornell.edu. (51) 12:10:02.432349 IP 10.x.x.40.54598 > my.qry.DNS.svr.domain: 7014+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.433306 IP 10.x.x.40.57892 > my.qry.DNS.svr.domain: 2546+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.434540 IP 10.x.x.40.38560 > my.qry.DNS.svr.domain: 50975+ A? honeycrisp.....cornell.edu. (51) 12:10:02.434557 IP 10.x.x.40.38560 > my.qry.DNS.svr.domain: 56661+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.435279 IP 10.x.x.40.56969 > my.qry.DNS.svr.domain: 52247+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.436750 IP 10.x.x.40.44416 > my.qry.DNS.svr.domain: 36766+ A? honeycrisp.....cornell.edu. (51) 12:10:02.436767 IP 10.x.x.40.44416 > my.qry.DNS.svr.domain: 52783+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.437478 IP 10.x.x.40.49784 > my.qry.DNS.svr.domain: 57661+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.438717 IP 10.x.x.40.45583 > my.qry.DNS.svr.domain: 13534+ A? honeycrisp.....cornell.edu. (51) 12:10:02.438731 IP 10.x.x.40.45583 > my.qry.DNS.svr.domain: 27527+ AAAA? honeycrisp.....cornell.edu. (51) 12:10:02.439448 IP 10.x.x.40.49843 > my.qry.DNS.svr.domain: 2719+ PTR? 139.159.253.128.in-addr.arpa. (46) 12:10:02.453689 IP 10.x.x.49.51123 > my.qry.DNS.svr.domain: 36544+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.454698 IP 10.x.x.49.38898 > my.qry.DNS.svr.domain: 36925+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.454714 IP 10.x.x.49.35323 > my.qry.DNS.svr.domain: 64947+ A? bromgr.....cornell.edu. (47) 12:10:02.455410 IP 10.x.x.49.41746 > my.qry.DNS.svr.domain: 29448+ A? bromgr.....cornell.edu. (47) 12:10:02.455911 IP 10.x.x.40.47422 > my.qry.DNS.svr.domain: 41533+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.456414 IP 10.x.x.40.49787 > my.qry.DNS.svr.domain: 65508+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.456661 IP 10.x.x.40.33497 > my.qry.DNS.svr.domain: 41324+ A? bro02.....cornell.edu. (46) 12:10:02.457406 IP 10.x.x.40.41867 > my.qry.DNS.svr.domain: 16038+ A? bro02.....cornell.edu. (46) 12:10:02.457649 IP 10.x.x.40.47271 > my.qry.DNS.svr.domain: 36875+ A? bro02.....cornell.edu. (46) 12:10:02.457667 IP 10.x.x.40.47271 > my.qry.DNS.svr.domain: 40882+ AAAA? bro02.....cornell.edu. (46) 12:10:02.458432 IP 10.x.x.40.44091 > my.qry.DNS.svr.domain: 17977+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.458451 IP 10.x.x.40.52947 > my.qry.DNS.svr.domain: 1390+ A? bro02.....cornell.edu. (46) 12:10:02.458457 IP 10.x.x.40.52947 > my.qry.DNS.svr.domain: 36929+ AAAA? bro02.....cornell.edu. (46) 12:10:02.459122 IP 10.x.x.40.54648 > my.qry.DNS.svr.domain: 32013+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.459639 IP 10.x.x.40.49063 > my.qry.DNS.svr.domain: 64579+ A? bro02.....cornell.edu. (46) 12:10:02.459658 IP 10.x.x.40.49063 > my.qry.DNS.svr.domain: 50777+ AAAA? bro02.....cornell.edu. (46) 12:10:02.460341 IP 10.x.x.40.40478 > my.qry.DNS.svr.domain: 10408+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.460585 IP 10.x.x.40.49675 > my.qry.DNS.svr.domain: 57094+ A? bro02.....cornell.edu. (46) 12:10:02.460603 IP 10.x.x.40.49675 > my.qry.DNS.svr.domain: 54536+ AAAA? bro02.....cornell.edu. (46) 12:10:02.461321 IP 10.x.x.40.33228 > my.qry.DNS.svr.domain: 29630+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.461564 IP 10.x.x.40.55533 > my.qry.DNS.svr.domain: 45631+ A? bro02.....cornell.edu. (46) 12:10:02.461580 IP 10.x.x.40.55533 > my.qry.DNS.svr.domain: 13537+ AAAA? bro02.....cornell.edu. (46) 12:10:02.462549 IP 10.x.x.40.36455 > my.qry.DNS.svr.domain: 53879+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.462563 IP 10.x.x.40.37086 > my.qry.DNS.svr.domain: 29053+ A? bro02.....cornell.edu. (46) 12:10:02.462569 IP 10.x.x.40.37086 > my.qry.DNS.svr.domain: 6982+ AAAA? bro02.....cornell.edu. (46) 12:10:02.463305 IP 10.x.x.40.56181 > my.qry.DNS.svr.domain: 28044+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.463540 IP 10.x.x.40.55589 > my.qry.DNS.svr.domain: 27153+ A? bro02.....cornell.edu. (46) 12:10:02.463551 IP 10.x.x.40.55589 > my.qry.DNS.svr.domain: 27318+ AAAA? bro02.....cornell.edu. (46) 12:10:02.464274 IP 10.x.x.40.58295 > my.qry.DNS.svr.domain: 37790+ A? bro02.....cornell.edu. (46) 12:10:02.464284 IP 10.x.x.40.58295 > my.qry.DNS.svr.domain: 22968+ AAAA? bro02.....cornell.edu. (46) 12:10:02.464290 IP 10.x.x.40.52357 > my.qry.DNS.svr.domain: 23647+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.465023 IP 10.x.x.40.42014 > my.qry.DNS.svr.domain: 44809+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.468932 IP 10.x.x.49.48019 > my.qry.DNS.svr.domain: 45202+ A? bromgr.....cornell.edu. (47) 12:10:02.468949 IP 10.x.x.49.48019 > my.qry.DNS.svr.domain: 54911+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.469183 IP 10.x.x.49.34880 > my.qry.DNS.svr.domain: 29165+ A? bromgr.....cornell.edu. (47) 12:10:02.469198 IP 10.x.x.49.34880 > my.qry.DNS.svr.domain: 63972+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.471161 IP 10.x.x.49.34600 > my.qry.DNS.svr.domain: 2886+ A? bromgr.....cornell.edu. (47) 12:10:02.471178 IP 10.x.x.49.33768 > my.qry.DNS.svr.domain: 40503+ A? bromgr.....cornell.edu. (47) 12:10:02.471184 IP 10.x.x.49.34600 > my.qry.DNS.svr.domain: 943+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.471189 IP 10.x.x.49.33768 > my.qry.DNS.svr.domain: 50936+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.472374 IP 10.x.x.49.52958 > my.qry.DNS.svr.domain: 59081+ A? bromgr.....cornell.edu. (47) 12:10:02.472393 IP 10.x.x.49.37557 > my.qry.DNS.svr.domain: 40787+ A? bromgr.....cornell.edu. (47) 12:10:02.472405 IP 10.x.x.49.52958 > my.qry.DNS.svr.domain: 21413+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.472413 IP 10.x.x.49.37557 > my.qry.DNS.svr.domain: 3330+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.473843 IP 10.x.x.49.60725 > my.qry.DNS.svr.domain: 33300+ A? bromgr.....cornell.edu. (47) 12:10:02.473858 IP 10.x.x.49.60725 > my.qry.DNS.svr.domain: 62526+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.474095 IP 10.x.x.49.45007 > my.qry.DNS.svr.domain: 49123+ A? bromgr.....cornell.edu. (47) 12:10:02.474110 IP 10.x.x.49.45007 > my.qry.DNS.svr.domain: 8762+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.475334 IP 10.x.x.49.43300 > my.qry.DNS.svr.domain: 61998+ A? bromgr.....cornell.edu. (47) 12:10:02.475349 IP 10.x.x.49.43300 > my.qry.DNS.svr.domain: 40385+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.475574 IP 10.x.x.49.41024 > my.qry.DNS.svr.domain: 33923+ A? bromgr.....cornell.edu. (47) 12:10:02.475589 IP 10.x.x.49.41024 > my.qry.DNS.svr.domain: 7695+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.476318 IP 10.x.x.49.44946 > my.qry.DNS.svr.domain: 11742+ A? bromgr.....cornell.edu. (47) 12:10:02.476334 IP 10.x.x.49.60086 > my.qry.DNS.svr.domain: 36329+ A? bromgr.....cornell.edu. (47) 12:10:02.476340 IP 10.x.x.49.44946 > my.qry.DNS.svr.domain: 22533+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.476346 IP 10.x.x.49.60086 > my.qry.DNS.svr.domain: 30156+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.479274 IP 10.x.x.49.33194 > my.qry.DNS.svr.domain: 7180+ A? bromgr.....cornell.edu. (47) 12:10:02.479292 IP 10.x.x.49.33194 > my.qry.DNS.svr.domain: 14421+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.480262 IP 10.x.x.49.48028 > my.qry.DNS.svr.domain: 40278+ A? bromgr.....cornell.edu. (47) 12:10:02.480278 IP 10.x.x.49.48028 > my.qry.DNS.svr.domain: 49506+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.481225 IP 10.x.x.49.44671 > my.qry.DNS.svr.domain: 35731+ A? bromgr.....cornell.edu. (47) 12:10:02.481242 IP 10.x.x.49.44671 > my.qry.DNS.svr.domain: 65486+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.481964 IP 10.x.x.49.46629 > my.qry.DNS.svr.domain: 37318+ A? bromgr.....cornell.edu. (47) 12:10:02.481982 IP 10.x.x.49.46629 > my.qry.DNS.svr.domain: 32457+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.485173 IP 10.x.x.40.44284 > my.qry.DNS.svr.domain: 645+ A? bro02.....cornell.edu. (46) 12:10:02.485189 IP 10.x.x.40.44284 > my.qry.DNS.svr.domain: 24822+ AAAA? bro02.....cornell.edu. (46) 12:10:02.486176 IP 10.x.x.40.48118 > my.qry.DNS.svr.domain: 24242+ A? bro02.....cornell.edu. (46) 12:10:02.486193 IP 10.x.x.40.48118 > my.qry.DNS.svr.domain: 12110+ AAAA? bro02.....cornell.edu. (46) 12:10:02.490319 IP 10.x.x.49.34759 > my.qry.DNS.svr.domain: 10380+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.491302 IP 10.x.x.49.57376 > my.qry.DNS.svr.domain: 5654+ A? bromgr.....cornell.edu. (47) 12:10:02.491541 IP 10.x.x.49.56535 > my.qry.DNS.svr.domain: 64225+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.492269 IP 10.x.x.49.47967 > my.qry.DNS.svr.domain: 45173+ A? bromgr.....cornell.edu. (47) 12:10:02.536756 IP 10.x.x.49.37740 > my.qry.DNS.svr.domain: 44244+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.537746 IP 10.x.x.49.50208 > my.qry.DNS.svr.domain: 54744+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.537768 IP 10.x.x.49.56752 > my.qry.DNS.svr.domain: 28951+ A? bromgr.....cornell.edu. (47) 12:10:02.538481 IP 10.x.x.49.51748 > my.qry.DNS.svr.domain: 36494+ A? bromgr.....cornell.edu. (47) 12:10:02.538978 IP 10.x.x.40.60787 > my.qry.DNS.svr.domain: 11764+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.539728 IP 10.x.x.40.45387 > my.qry.DNS.svr.domain: 6010+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.539983 IP 10.x.x.40.35754 > my.qry.DNS.svr.domain: 11685+ A? bro02.....cornell.edu. (46) 12:10:02.540694 IP 10.x.x.40.35168 > my.qry.DNS.svr.domain: 56721+ A? bro02.....cornell.edu. (46) 12:10:02.540945 IP 10.x.x.40.52624 > my.qry.DNS.svr.domain: 34575+ A? bro02.....cornell.edu. (46) 12:10:02.540966 IP 10.x.x.40.52624 > my.qry.DNS.svr.domain: 49540+ AAAA? bro02.....cornell.edu. (46) 12:10:02.541696 IP 10.x.x.40.44462 > my.qry.DNS.svr.domain: 24430+ A? bro02.....cornell.edu. (46) 12:10:02.541713 IP 10.x.x.40.44462 > my.qry.DNS.svr.domain: 30035+ AAAA? bro02.....cornell.edu. (46) 12:10:02.542170 IP 10.x.x.40.51348 > my.qry.DNS.svr.domain: 4943+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.542419 IP 10.x.x.40.51373 > my.qry.DNS.svr.domain: 50979+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.543409 IP 10.x.x.40.46700 > my.qry.DNS.svr.domain: 64944+ A? bro02.....cornell.edu. (46) 12:10:02.543422 IP 10.x.x.40.46700 > my.qry.DNS.svr.domain: 50973+ AAAA? bro02.....cornell.edu. (46) 12:10:02.543905 IP 10.x.x.40.44731 > my.qry.DNS.svr.domain: 27912+ A? bro02.....cornell.edu. (46) 12:10:02.543923 IP 10.x.x.40.44731 > my.qry.DNS.svr.domain: 55285+ AAAA? bro02.....cornell.edu. (46) 12:10:02.544152 IP 10.x.x.40.32999 > my.qry.DNS.svr.domain: 344+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.544633 IP 10.x.x.40.41851 > my.qry.DNS.svr.domain: 65014+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.545143 IP 10.x.x.40.33015 > my.qry.DNS.svr.domain: 19271+ A? bro02.....cornell.edu. (46) 12:10:02.545166 IP 10.x.x.40.33015 > my.qry.DNS.svr.domain: 45374+ AAAA? bro02.....cornell.edu. (46) 12:10:02.545626 IP 10.x.x.40.55983 > my.qry.DNS.svr.domain: 61407+ A? bro02.....cornell.edu. (46) 12:10:02.545647 IP 10.x.x.40.55983 > my.qry.DNS.svr.domain: 2513+ AAAA? bro02.....cornell.edu. (46) 12:10:02.546112 IP 10.x.x.40.48030 > my.qry.DNS.svr.domain: 36752+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.546364 IP 10.x.x.40.45087 > my.qry.DNS.svr.domain: 15128+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.547116 IP 10.x.x.40.57834 > my.qry.DNS.svr.domain: 4391+ A? bro02.....cornell.edu. (46) 12:10:02.547132 IP 10.x.x.40.57834 > my.qry.DNS.svr.domain: 54215+ AAAA? bro02.....cornell.edu. (46) 12:10:02.547347 IP 10.x.x.40.49189 > my.qry.DNS.svr.domain: 53618+ A? bro02.....cornell.edu. (46) 12:10:02.547361 IP 10.x.x.40.49189 > my.qry.DNS.svr.domain: 23509+ AAAA? bro02.....cornell.edu. (46) 12:10:02.548088 IP 10.x.x.40.36620 > my.qry.DNS.svr.domain: 45516+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.548315 IP 10.x.x.40.42446 > my.qry.DNS.svr.domain: 18329+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.552761 IP 10.x.x.49.38498 > my.qry.DNS.svr.domain: 48918+ A? bromgr.....cornell.edu. (47) 12:10:02.552775 IP 10.x.x.49.38498 > my.qry.DNS.svr.domain: 3116+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.553479 IP 10.x.x.49.43117 > my.qry.DNS.svr.domain: 20709+ A? bromgr.....cornell.edu. (47) 12:10:02.553492 IP 10.x.x.49.43117 > my.qry.DNS.svr.domain: 43590+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.554463 IP 10.x.x.49.58023 > my.qry.DNS.svr.domain: 37702+ A? bromgr.....cornell.edu. (47) 12:10:02.554481 IP 10.x.x.49.58023 > my.qry.DNS.svr.domain: 61290+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.554954 IP 10.x.x.49.38288 > my.qry.DNS.svr.domain: 4894+ A? bromgr.....cornell.edu. (47) 12:10:02.554977 IP 10.x.x.49.38288 > my.qry.DNS.svr.domain: 55293+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.555715 IP 10.x.x.49.38945 > my.qry.DNS.svr.domain: 20106+ A? bromgr.....cornell.edu. (47) 12:10:02.555731 IP 10.x.x.49.38945 > my.qry.DNS.svr.domain: 21939+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.556181 IP 10.x.x.49.60351 > my.qry.DNS.svr.domain: 32845+ A? bromgr.....cornell.edu. (47) 12:10:02.556196 IP 10.x.x.49.60351 > my.qry.DNS.svr.domain: 29094+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.557161 IP 10.x.x.49.37361 > my.qry.DNS.svr.domain: 61755+ A? bromgr.....cornell.edu. (47) 12:10:02.557178 IP 10.x.x.49.37361 > my.qry.DNS.svr.domain: 29674+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.557657 IP 10.x.x.49.49641 > my.qry.DNS.svr.domain: 54101+ A? bromgr.....cornell.edu. (47) 12:10:02.557680 IP 10.x.x.49.49641 > my.qry.DNS.svr.domain: 11548+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.558404 IP 10.x.x.49.35499 > my.qry.DNS.svr.domain: 49925+ A? bromgr.....cornell.edu. (47) 12:10:02.558421 IP 10.x.x.49.35499 > my.qry.DNS.svr.domain: 11618+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.558880 IP 10.x.x.49.55037 > my.qry.DNS.svr.domain: 41440+ A? bromgr.....cornell.edu. (47) 12:10:02.558901 IP 10.x.x.49.55037 > my.qry.DNS.svr.domain: 13348+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.559134 IP 10.x.x.49.37030 > my.qry.DNS.svr.domain: 63364+ A? bromgr.....cornell.edu. (47) 12:10:02.559154 IP 10.x.x.49.37030 > my.qry.DNS.svr.domain: 47535+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.559626 IP 10.x.x.49.58143 > my.qry.DNS.svr.domain: 43350+ A? bromgr.....cornell.edu. (47) 12:10:02.559646 IP 10.x.x.49.58143 > my.qry.DNS.svr.domain: 27539+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.562334 IP 10.x.x.49.54591 > my.qry.DNS.svr.domain: 3472+ A? bromgr.....cornell.edu. (47) 12:10:02.562354 IP 10.x.x.49.54591 > my.qry.DNS.svr.domain: 40596+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.563337 IP 10.x.x.49.52427 > my.qry.DNS.svr.domain: 39+ A? bromgr.....cornell.edu. (47) 12:10:02.563365 IP 10.x.x.49.52427 > my.qry.DNS.svr.domain: 27331+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.564309 IP 10.x.x.49.42341 > my.qry.DNS.svr.domain: 12581+ A? bromgr.....cornell.edu. (47) 12:10:02.564329 IP 10.x.x.49.42341 > my.qry.DNS.svr.domain: 51088+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.565285 IP 10.x.x.49.60397 > my.qry.DNS.svr.domain: 2595+ A? bromgr.....cornell.edu. (47) 12:10:02.565306 IP 10.x.x.49.60397 > my.qry.DNS.svr.domain: 46011+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.568260 IP 10.x.x.40.56454 > my.qry.DNS.svr.domain: 39624+ A? bro02.....cornell.edu. (46) 12:10:02.568282 IP 10.x.x.40.56454 > my.qry.DNS.svr.domain: 32379+ AAAA? bro02.....cornell.edu. (46) 12:10:02.569250 IP 10.x.x.40.40094 > my.qry.DNS.svr.domain: 22827+ A? bro03.....cornell.edu. (46) 12:10:02.569266 IP 10.x.x.40.40094 > my.qry.DNS.svr.domain: 25409+ AAAA? bro03.....cornell.edu. (46) 12:10:02.573139 IP 10.x.x.49.42491 > my.qry.DNS.svr.domain: 33897+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.574122 IP 10.x.x.49.34580 > my.qry.DNS.svr.domain: 47817+ A? bromgr.....cornell.edu. (47) 12:10:02.574611 IP 10.x.x.50.38433 > my.qry.DNS.svr.domain: 57396+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.575588 IP 10.x.x.50.46774 > my.qry.DNS.svr.domain: 32364+ A? bromgr.....cornell.edu. (47) 12:10:02.620816 IP 10.x.x.49.53497 > my.qry.DNS.svr.domain: 59431+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.621070 IP 10.x.x.50.38670 > my.qry.DNS.svr.domain: 6303+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.621791 IP 10.x.x.49.60532 > my.qry.DNS.svr.domain: 44174+ A? bromgr.....cornell.edu. (47) 12:10:02.622060 IP 10.x.x.50.52999 > my.qry.DNS.svr.domain: 31467+ A? bromgr.....cornell.edu. (47) 12:10:02.623288 IP 10.x.x.40.33364 > my.qry.DNS.svr.domain: 25837+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.623305 IP 10.x.x.40.58203 > my.qry.DNS.svr.domain: 22963+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.624015 IP 10.x.x.40.37375 > my.qry.DNS.svr.domain: 30389+ A? bro02.....cornell.edu. (46) 12:10:02.624034 IP 10.x.x.40.54060 > my.qry.DNS.svr.domain: 36722+ A? bro03.....cornell.edu. (46) 12:10:02.625254 IP 10.x.x.40.34855 > my.qry.DNS.svr.domain: 19493+ A? bro02.....cornell.edu. (46) 12:10:02.625270 IP 10.x.x.40.34855 > my.qry.DNS.svr.domain: 11934+ AAAA? bro02.....cornell.edu. (46) 12:10:02.625502 IP 10.x.x.40.53830 > my.qry.DNS.svr.domain: 54607+ A? bro03.....cornell.edu. (46) 12:10:02.625517 IP 10.x.x.40.53830 > my.qry.DNS.svr.domain: 59191+ AAAA? bro03.....cornell.edu. (46) 12:10:02.625992 IP 10.x.x.40.45787 > my.qry.DNS.svr.domain: 10461+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.626484 IP 10.x.x.40.39103 > my.qry.DNS.svr.domain: 16794+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.627218 IP 10.x.x.40.46303 > my.qry.DNS.svr.domain: 33435+ A? bro02.....cornell.edu. (46) 12:10:02.627243 IP 10.x.x.40.46303 > my.qry.DNS.svr.domain: 31843+ AAAA? bro02.....cornell.edu. (46) 12:10:02.627967 IP 10.x.x.40.53090 > my.qry.DNS.svr.domain: 48026+ A? bro03.....cornell.edu. (46) 12:10:02.627985 IP 10.x.x.40.53090 > my.qry.DNS.svr.domain: 12710+ AAAA? bro03.....cornell.edu. (46) 12:10:02.628194 IP 10.x.x.40.59729 > my.qry.DNS.svr.domain: 48751+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.628686 IP 10.x.x.40.48155 > my.qry.DNS.svr.domain: 11213+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.629203 IP 10.x.x.40.56289 > my.qry.DNS.svr.domain: 4121+ A? bro02.....cornell.edu. (46) 12:10:02.629230 IP 10.x.x.40.56289 > my.qry.DNS.svr.domain: 41675+ AAAA? bro02.....cornell.edu. (46) 12:10:02.629913 IP 10.x.x.40.37531 > my.qry.DNS.svr.domain: 44464+ A? bro03.....cornell.edu. (46) 12:10:02.629929 IP 10.x.x.40.37531 > my.qry.DNS.svr.domain: 60317+ AAAA? bro03.....cornell.edu. (46) 12:10:02.629935 IP 10.x.x.40.53844 > my.qry.DNS.svr.domain: 44126+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.630899 IP 10.x.x.40.51514 > my.qry.DNS.svr.domain: 33076+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.631148 IP 10.x.x.40.56979 > my.qry.DNS.svr.domain: 47808+ A? bro02.....cornell.edu. (46) 12:10:02.631168 IP 10.x.x.40.56979 > my.qry.DNS.svr.domain: 45098+ AAAA? bro02.....cornell.edu. (46) 12:10:02.631891 IP 10.x.x.40.55597 > my.qry.DNS.svr.domain: 11866+ PTR? 49.x.x.10.in-addr.arpa. (43) 12:10:02.632132 IP 10.x.x.40.60603 > my.qry.DNS.svr.domain: 58169+ A? bro03.....cornell.edu. (46) 12:10:02.632148 IP 10.x.x.40.60603 > my.qry.DNS.svr.domain: 22855+ AAAA? bro03.....cornell.edu. (46) 12:10:02.633105 IP 10.x.x.40.51363 > my.qry.DNS.svr.domain: 24392+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.637542 IP 10.x.x.49.54732 > my.qry.DNS.svr.domain: 7971+ A? bromgr.....cornell.edu. (47) 12:10:02.637562 IP 10.x.x.49.54732 > my.qry.DNS.svr.domain: 64460+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.638505 IP 10.x.x.50.57465 > my.qry.DNS.svr.domain: 46966+ A? bromgr.....cornell.edu. (47) 12:10:02.638523 IP 10.x.x.50.57465 > my.qry.DNS.svr.domain: 53780+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.639497 IP 10.x.x.49.38344 > my.qry.DNS.svr.domain: 28325+ A? bromgr.....cornell.edu. (47) 12:10:02.639516 IP 10.x.x.49.38344 > my.qry.DNS.svr.domain: 19079+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.640229 IP 10.x.x.50.47676 > my.qry.DNS.svr.domain: 17827+ A? bromgr.....cornell.edu. (47) 12:10:02.640242 IP 10.x.x.50.47676 > my.qry.DNS.svr.domain: 53819+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.640970 IP 10.x.x.49.38557 > my.qry.DNS.svr.domain: 22584+ A? bromgr.....cornell.edu. (47) 12:10:02.640987 IP 10.x.x.49.38557 > my.qry.DNS.svr.domain: 37619+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.641454 IP 10.x.x.50.52802 > my.qry.DNS.svr.domain: 1032+ A? bromgr.....cornell.edu. (47) 12:10:02.641473 IP 10.x.x.50.52802 > my.qry.DNS.svr.domain: 35294+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.642995 IP 10.x.x.49.46393 > my.qry.DNS.svr.domain: 17833+ A? bromgr.....cornell.edu. (47) 12:10:02.643017 IP 10.x.x.49.46393 > my.qry.DNS.svr.domain: 31869+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.643182 IP 10.x.x.50.58432 > my.qry.DNS.svr.domain: 4027+ A? bromgr.....cornell.edu. (47) 12:10:02.643195 IP 10.x.x.50.58432 > my.qry.DNS.svr.domain: 30651+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.644169 IP 10.x.x.49.33344 > my.qry.DNS.svr.domain: 25915+ A? bromgr.....cornell.edu. (47) 12:10:02.644188 IP 10.x.x.49.33344 > my.qry.DNS.svr.domain: 30349+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.644657 IP 10.x.x.50.57975 > my.qry.DNS.svr.domain: 4286+ A? bromgr.....cornell.edu. (47) 12:10:02.644675 IP 10.x.x.50.57975 > my.qry.DNS.svr.domain: 55205+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.645148 IP 10.x.x.49.41392 > my.qry.DNS.svr.domain: 43297+ A? bromgr.....cornell.edu. (47) 12:10:02.645168 IP 10.x.x.49.41392 > my.qry.DNS.svr.domain: 32960+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.645636 IP 10.x.x.50.50664 > my.qry.DNS.svr.domain: 20814+ A? bromgr.....cornell.edu. (47) 12:10:02.645652 IP 10.x.x.50.50664 > my.qry.DNS.svr.domain: 38656+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.648834 IP 10.x.x.50.58038 > my.qry.DNS.svr.domain: 10095+ A? bromgr.....cornell.edu. (47) 12:10:02.648855 IP 10.x.x.50.58038 > my.qry.DNS.svr.domain: 65255+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.650058 IP 10.x.x.50.35178 > my.qry.DNS.svr.domain: 11962+ A? bromgr.....cornell.edu. (47) 12:10:02.650076 IP 10.x.x.50.35178 > my.qry.DNS.svr.domain: 31638+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.651048 IP 10.x.x.50.43442 > my.qry.DNS.svr.domain: 57618+ A? bromgr.....cornell.edu. (47) 12:10:02.651067 IP 10.x.x.50.43442 > my.qry.DNS.svr.domain: 26521+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.651787 IP 10.x.x.50.34965 > my.qry.DNS.svr.domain: 35630+ A? bromgr.....cornell.edu. (47) 12:10:02.651804 IP 10.x.x.50.34965 > my.qry.DNS.svr.domain: 27082+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.654745 IP 10.x.x.40.41812 > my.qry.DNS.svr.domain: 16814+ A? bro03.....cornell.edu. (46) 12:10:02.654764 IP 10.x.x.40.41812 > my.qry.DNS.svr.domain: 39495+ AAAA? bro03.....cornell.edu. (46) 12:10:02.655734 IP 10.x.x.40.46556 > my.qry.DNS.svr.domain: 7362+ A? bro03.....cornell.edu. (46) 12:10:02.655751 IP 10.x.x.40.46556 > my.qry.DNS.svr.domain: 53103+ AAAA? bro03.....cornell.edu. (46) 12:10:02.659890 IP 10.x.x.50.43753 > my.qry.DNS.svr.domain: 44301+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.660884 IP 10.x.x.50.60000 > my.qry.DNS.svr.domain: 12914+ A? bromgr.....cornell.edu. (47) 12:10:02.660900 IP 10.x.x.50.41433 > my.qry.DNS.svr.domain: 27848+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.661847 IP 10.x.x.50.39242 > my.qry.DNS.svr.domain: 13097+ A? bromgr.....cornell.edu. (47) 12:10:02.707331 IP 10.x.x.50.39766 > my.qry.DNS.svr.domain: 29920+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.707348 IP 10.x.x.50.42689 > my.qry.DNS.svr.domain: 32553+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.708065 IP 10.x.x.50.56494 > my.qry.DNS.svr.domain: 2446+ A? bromgr.....cornell.edu. (47) 12:10:02.708547 IP 10.x.x.50.45130 > my.qry.DNS.svr.domain: 23814+ A? bromgr.....cornell.edu. (47) 12:10:02.709313 IP 10.x.x.40.33184 > my.qry.DNS.svr.domain: 28644+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.709809 IP 10.x.x.40.41788 > my.qry.DNS.svr.domain: 27668+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.710038 IP 10.x.x.40.42878 > my.qry.DNS.svr.domain: 10165+ A? bro03.....cornell.edu. (46) 12:10:02.710520 IP 10.x.x.40.41587 > my.qry.DNS.svr.domain: 31687+ A? bro03.....cornell.edu. (46) 12:10:02.711027 IP 10.x.x.40.55180 > my.qry.DNS.svr.domain: 3696+ A? bro03.....cornell.edu. (46) 12:10:02.711044 IP 10.x.x.40.55180 > my.qry.DNS.svr.domain: 13620+ AAAA? bro03.....cornell.edu. (46) 12:10:02.711514 IP 10.x.x.40.33303 > my.qry.DNS.svr.domain: 42574+ A? bro03.....cornell.edu. (46) 12:10:02.711536 IP 10.x.x.40.33303 > my.qry.DNS.svr.domain: 28126+ AAAA? bro03.....cornell.edu. (46) 12:10:02.711755 IP 10.x.x.40.59142 > my.qry.DNS.svr.domain: 61445+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.712241 IP 10.x.x.40.42787 > my.qry.DNS.svr.domain: 22688+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.713227 IP 10.x.x.40.58752 > my.qry.DNS.svr.domain: 870+ A? bro03.....cornell.edu. (46) 12:10:02.713240 IP 10.x.x.40.58752 > my.qry.DNS.svr.domain: 30416+ AAAA? bro03.....cornell.edu. (46) 12:10:02.713478 IP 10.x.x.40.53330 > my.qry.DNS.svr.domain: 59257+ A? bro03.....cornell.edu. (46) 12:10:02.713488 IP 10.x.x.40.53330 > my.qry.DNS.svr.domain: 36443+ AAAA? bro03.....cornell.edu. (46) 12:10:02.713980 IP 10.x.x.40.45140 > my.qry.DNS.svr.domain: 53530+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.714218 IP 10.x.x.40.60759 > my.qry.DNS.svr.domain: 4400+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.714950 IP 10.x.x.40.33512 > my.qry.DNS.svr.domain: 3042+ A? bro03.....cornell.edu. (46) 12:10:02.714971 IP 10.x.x.40.33512 > my.qry.DNS.svr.domain: 2483+ AAAA? bro03.....cornell.edu. (46) 12:10:02.715196 IP 10.x.x.40.59449 > my.qry.DNS.svr.domain: 63297+ A? bro03.....cornell.edu. (46) 12:10:02.715208 IP 10.x.x.40.59449 > my.qry.DNS.svr.domain: 37211+ AAAA? bro03.....cornell.edu. (46) 12:10:02.715930 IP 10.x.x.40.52535 > my.qry.DNS.svr.domain: 23500+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.716191 IP 10.x.x.40.60301 > my.qry.DNS.svr.domain: 25415+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.717413 IP 10.x.x.40.44108 > my.qry.DNS.svr.domain: 11911+ A? bro03.....cornell.edu. (46) 12:10:02.717432 IP 10.x.x.40.37814 > my.qry.DNS.svr.domain: 61564+ A? bro03.....cornell.edu. (46) 12:10:02.717439 IP 10.x.x.40.44108 > my.qry.DNS.svr.domain: 26957+ AAAA? bro03.....cornell.edu. (46) 12:10:02.717448 IP 10.x.x.40.37814 > my.qry.DNS.svr.domain: 52665+ AAAA? bro03.....cornell.edu. (46) 12:10:02.718157 IP 10.x.x.40.45786 > my.qry.DNS.svr.domain: 55707+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.718176 IP 10.x.x.40.59773 > my.qry.DNS.svr.domain: 8974+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.722332 IP 10.x.x.50.50006 > my.qry.DNS.svr.domain: 41198+ A? bromgr.....cornell.edu. (47) 12:10:02.722352 IP 10.x.x.50.50006 > my.qry.DNS.svr.domain: 62949+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.723311 IP 10.x.x.50.58274 > my.qry.DNS.svr.domain: 53379+ A? bromgr.....cornell.edu. (47) 12:10:02.723329 IP 10.x.x.50.58274 > my.qry.DNS.svr.domain: 63875+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.724532 IP 10.x.x.50.60710 > my.qry.DNS.svr.domain: 54517+ A? bromgr.....cornell.edu. (47) 12:10:02.724550 IP 10.x.x.50.60710 > my.qry.DNS.svr.domain: 12814+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.725047 IP 10.x.x.50.44087 > my.qry.DNS.svr.domain: 44419+ A? bromgr.....cornell.edu. (47) 12:10:02.725064 IP 10.x.x.50.44087 > my.qry.DNS.svr.domain: 51339+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.726008 IP 10.x.x.50.51224 > my.qry.DNS.svr.domain: 22083+ A? bromgr.....cornell.edu. (47) 12:10:02.726025 IP 10.x.x.50.44940 > my.qry.DNS.svr.domain: 12354+ A? bromgr.....cornell.edu. (47) 12:10:02.726031 IP 10.x.x.50.51224 > my.qry.DNS.svr.domain: 37635+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.726036 IP 10.x.x.50.44940 > my.qry.DNS.svr.domain: 26240+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.727720 IP 10.x.x.50.35751 > my.qry.DNS.svr.domain: 13216+ A? bromgr.....cornell.edu. (47) 12:10:02.727733 IP 10.x.x.50.35751 > my.qry.DNS.svr.domain: 55396+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.728218 IP 10.x.x.50.46618 > my.qry.DNS.svr.domain: 8081+ A? bromgr.....cornell.edu. (47) 12:10:02.728237 IP 10.x.x.50.46618 > my.qry.DNS.svr.domain: 32441+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.728964 IP 10.x.x.50.51302 > my.qry.DNS.svr.domain: 42333+ A? bromgr.....cornell.edu. (47) 12:10:02.728985 IP 10.x.x.50.51302 > my.qry.DNS.svr.domain: 36291+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.729444 IP 10.x.x.50.59330 > my.qry.DNS.svr.domain: 29801+ A? bromgr.....cornell.edu. (47) 12:10:02.729459 IP 10.x.x.50.59330 > my.qry.DNS.svr.domain: 24410+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.729687 IP 10.x.x.50.43470 > my.qry.DNS.svr.domain: 50763+ A? bromgr.....cornell.edu. (47) 12:10:02.729702 IP 10.x.x.50.43470 > my.qry.DNS.svr.domain: 20446+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.730427 IP 10.x.x.50.50387 > my.qry.DNS.svr.domain: 61640+ A? bromgr.....cornell.edu. (47) 12:10:02.730444 IP 10.x.x.50.50387 > my.qry.DNS.svr.domain: 28225+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.732879 IP 10.x.x.50.50036 > my.qry.DNS.svr.domain: 59607+ A? bromgr.....cornell.edu. (47) 12:10:02.732897 IP 10.x.x.50.50036 > my.qry.DNS.svr.domain: 54236+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.733859 IP 10.x.x.50.45653 > my.qry.DNS.svr.domain: 48295+ A? bromgr.....cornell.edu. (47) 12:10:02.733872 IP 10.x.x.50.45653 > my.qry.DNS.svr.domain: 65148+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.734857 IP 10.x.x.50.49343 > my.qry.DNS.svr.domain: 20059+ A? bromgr.....cornell.edu. (47) 12:10:02.734877 IP 10.x.x.50.49343 > my.qry.DNS.svr.domain: 3392+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.735603 IP 10.x.x.50.56460 > my.qry.DNS.svr.domain: 20449+ A? bromgr.....cornell.edu. (47) 12:10:02.735629 IP 10.x.x.50.56460 > my.qry.DNS.svr.domain: 15497+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.738806 IP 10.x.x.40.33597 > my.qry.DNS.svr.domain: 39046+ A? bro03.....cornell.edu. (46) 12:10:02.738836 IP 10.x.x.40.33597 > my.qry.DNS.svr.domain: 24312+ AAAA? bro03.....cornell.edu. (46) 12:10:02.739774 IP 10.x.x.40.39513 > my.qry.DNS.svr.domain: 60757+ A? bro03.....cornell.edu. (46) 12:10:02.739788 IP 10.x.x.40.39513 > my.qry.DNS.svr.domain: 64405+ AAAA? bro03.....cornell.edu. (46) 12:10:02.743948 IP 10.x.x.50.33874 > my.qry.DNS.svr.domain: 15099+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.744466 IP 10.x.x.50.33828 > my.qry.DNS.svr.domain: 15915+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.744913 IP 10.x.x.50.38867 > my.qry.DNS.svr.domain: 21587+ A? bromgr.....cornell.edu. (47) 12:10:02.745440 IP 10.x.x.50.56168 > my.qry.DNS.svr.domain: 59214+ A? bromgr.....cornell.edu. (47) 12:10:02.791148 IP 10.x.x.50.42014 > my.qry.DNS.svr.domain: 48186+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.791889 IP 10.x.x.50.38064 > my.qry.DNS.svr.domain: 20920+ A? bromgr.....cornell.edu. (47) 12:10:02.792139 IP 10.x.x.50.56958 > my.qry.DNS.svr.domain: 20552+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.792846 IP 10.x.x.50.45089 > my.qry.DNS.svr.domain: 48947+ A? bromgr.....cornell.edu. (47) 12:10:02.793360 IP 10.x.x.40.47506 > my.qry.DNS.svr.domain: 58237+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.793838 IP 10.x.x.40.48369 > my.qry.DNS.svr.domain: 10929+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.794134 IP 10.x.x.40.49870 > my.qry.DNS.svr.domain: 21152+ A? bro03.....cornell.edu. (46) 12:10:02.794812 IP 10.x.x.40.47083 > my.qry.DNS.svr.domain: 60010+ A? bro03.....cornell.edu. (46) 12:10:02.795093 IP 10.x.x.40.45946 > my.qry.DNS.svr.domain: 46677+ A? bro03.....cornell.edu. (46) 12:10:02.795110 IP 10.x.x.40.45946 > my.qry.DNS.svr.domain: 27155+ AAAA? bro03.....cornell.edu. (46) 12:10:02.795807 IP 10.x.x.40.58915 > my.qry.DNS.svr.domain: 31055+ A? bro03.....cornell.edu. (46) 12:10:02.795827 IP 10.x.x.40.32820 > my.qry.DNS.svr.domain: 12549+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.795833 IP 10.x.x.40.58915 > my.qry.DNS.svr.domain: 32830+ AAAA? bro03.....cornell.edu. (46) 12:10:02.796796 IP 10.x.x.40.58467 > my.qry.DNS.svr.domain: 36847+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.797037 IP 10.x.x.40.54999 > my.qry.DNS.svr.domain: 60511+ A? bro03.....cornell.edu. (46) 12:10:02.797050 IP 10.x.x.40.54999 > my.qry.DNS.svr.domain: 26562+ AAAA? bro03.....cornell.edu. (46) 12:10:02.797763 IP 10.x.x.40.52352 > my.qry.DNS.svr.domain: 49892+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.798019 IP 10.x.x.40.40562 > my.qry.DNS.svr.domain: 22080+ A? bro03.....cornell.edu. (46) 12:10:02.798031 IP 10.x.x.40.40562 > my.qry.DNS.svr.domain: 63896+ AAAA? bro03.....cornell.edu. (46) 12:10:02.798764 IP 10.x.x.40.44726 > my.qry.DNS.svr.domain: 59479+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.799007 IP 10.x.x.40.35473 > my.qry.DNS.svr.domain: 12560+ A? bro03.....cornell.edu. (46) 12:10:02.799020 IP 10.x.x.40.35473 > my.qry.DNS.svr.domain: 17475+ AAAA? bro03.....cornell.edu. (46) 12:10:02.799738 IP 10.x.x.40.40992 > my.qry.DNS.svr.domain: 32699+ A? bro03.....cornell.edu. (46) 12:10:02.799753 IP 10.x.x.40.40992 > my.qry.DNS.svr.domain: 63014+ AAAA? bro03.....cornell.edu. (46) 12:10:02.800014 IP 10.x.x.40.56211 > my.qry.DNS.svr.domain: 7971+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.800475 IP 10.x.x.40.46281 > my.qry.DNS.svr.domain: 48575+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.801007 IP 10.x.x.40.45902 > my.qry.DNS.svr.domain: 15011+ A? bro03.....cornell.edu. (46) 12:10:02.801020 IP 10.x.x.40.45902 > my.qry.DNS.svr.domain: 35114+ AAAA? bro03.....cornell.edu. (46) 12:10:02.801461 IP 10.x.x.40.36088 > my.qry.DNS.svr.domain: 50401+ A? bro03.....cornell.edu. (46) 12:10:02.801477 IP 10.x.x.40.36088 > my.qry.DNS.svr.domain: 64266+ AAAA? bro03.....cornell.edu. (46) 12:10:02.801702 IP 10.x.x.40.58901 > my.qry.DNS.svr.domain: 54338+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.802185 IP 10.x.x.40.42535 > my.qry.DNS.svr.domain: 32054+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.808339 IP 10.x.x.50.48578 > my.qry.DNS.svr.domain: 2790+ A? bromgr.....cornell.edu. (47) 12:10:02.808360 IP 10.x.x.50.51809 > my.qry.DNS.svr.domain: 13789+ A? bromgr.....cornell.edu. (47) 12:10:02.808369 IP 10.x.x.50.48578 > my.qry.DNS.svr.domain: 64294+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.808377 IP 10.x.x.50.51809 > my.qry.DNS.svr.domain: 64913+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.810092 IP 10.x.x.50.48079 > my.qry.DNS.svr.domain: 42425+ A? bromgr.....cornell.edu. (47) 12:10:02.810118 IP 10.x.x.50.45651 > my.qry.DNS.svr.domain: 5318+ A? bromgr.....cornell.edu. (47) 12:10:02.810126 IP 10.x.x.50.48079 > my.qry.DNS.svr.domain: 52970+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.810133 IP 10.x.x.50.45651 > my.qry.DNS.svr.domain: 36716+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.811535 IP 10.x.x.50.39974 > my.qry.DNS.svr.domain: 44351+ A? bromgr.....cornell.edu. (47) 12:10:02.811554 IP 10.x.x.50.37122 > my.qry.DNS.svr.domain: 953+ A? bromgr.....cornell.edu. (47) 12:10:02.811564 IP 10.x.x.50.39974 > my.qry.DNS.svr.domain: 32670+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.811575 IP 10.x.x.50.37122 > my.qry.DNS.svr.domain: 14863+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.813242 IP 10.x.x.50.47618 > my.qry.DNS.svr.domain: 26018+ A? bromgr.....cornell.edu. (47) 12:10:02.813254 IP 10.x.x.50.47618 > my.qry.DNS.svr.domain: 27340+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.813494 IP 10.x.x.50.54563 > my.qry.DNS.svr.domain: 54896+ A? bromgr.....cornell.edu. (47) 12:10:02.813511 IP 10.x.x.50.54563 > my.qry.DNS.svr.domain: 15084+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.814478 IP 10.x.x.50.55650 > my.qry.DNS.svr.domain: 5987+ A? bromgr.....cornell.edu. (47) 12:10:02.814494 IP 10.x.x.50.55650 > my.qry.DNS.svr.domain: 47923+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.814963 IP 10.x.x.50.58998 > my.qry.DNS.svr.domain: 61005+ A? bromgr.....cornell.edu. (47) 12:10:02.814976 IP 10.x.x.50.58998 > my.qry.DNS.svr.domain: 26006+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.815215 IP 10.x.x.50.47340 > my.qry.DNS.svr.domain: 53255+ A? bromgr.....cornell.edu. (47) 12:10:02.815229 IP 10.x.x.50.47340 > my.qry.DNS.svr.domain: 12262+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.815702 IP 10.x.x.50.57572 > my.qry.DNS.svr.domain: 54061+ A? bromgr.....cornell.edu. (47) 12:10:02.815713 IP 10.x.x.50.57572 > my.qry.DNS.svr.domain: 10447+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.818417 IP 10.x.x.50.42379 > my.qry.DNS.svr.domain: 3576+ A? bromgr.....cornell.edu. (47) 12:10:02.818434 IP 10.x.x.50.42379 > my.qry.DNS.svr.domain: 25108+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.819396 IP 10.x.x.50.39618 > my.qry.DNS.svr.domain: 10231+ A? bromgr.....cornell.edu. (47) 12:10:02.819410 IP 10.x.x.50.39618 > my.qry.DNS.svr.domain: 30180+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.820386 IP 10.x.x.50.55908 > my.qry.DNS.svr.domain: 43905+ A? bromgr.....cornell.edu. (47) 12:10:02.820406 IP 10.x.x.50.55908 > my.qry.DNS.svr.domain: 9513+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.821349 IP 10.x.x.50.53739 > my.qry.DNS.svr.domain: 24022+ A? bromgr.....cornell.edu. (47) 12:10:02.821361 IP 10.x.x.50.53739 > my.qry.DNS.svr.domain: 13198+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.824323 IP 10.x.x.40.36698 > my.qry.DNS.svr.domain: 46623+ A? bro03.....cornell.edu. (46) 12:10:02.824338 IP 10.x.x.40.36698 > my.qry.DNS.svr.domain: 32809+ AAAA? bro03.....cornell.edu. (46) 12:10:02.826064 IP 10.x.x.40.40147 > my.qry.DNS.svr.domain: 14531+ A? bro03.....cornell.edu. (46) 12:10:02.826088 IP 10.x.x.40.40147 > my.qry.DNS.svr.domain: 15228+ AAAA? bro03.....cornell.edu. (46) 12:10:02.829495 IP 10.x.x.50.56803 > my.qry.DNS.svr.domain: 52205+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.830700 IP 10.x.x.50.38269 > my.qry.DNS.svr.domain: 1779+ A? bromgr.....cornell.edu. (47) 12:10:02.830944 IP 10.x.x.50.58625 > my.qry.DNS.svr.domain: 4729+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.831678 IP 10.x.x.50.57431 > my.qry.DNS.svr.domain: 38629+ A? bromgr.....cornell.edu. (47) 12:10:02.875912 IP 10.x.x.50.58824 > my.qry.DNS.svr.domain: 12687+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.876647 IP 10.x.x.50.43964 > my.qry.DNS.svr.domain: 5638+ A? bromgr.....cornell.edu. (47) 12:10:02.877891 IP 10.x.x.50.45600 > my.qry.DNS.svr.domain: 31380+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.877891 IP 10.x.x.40.54471 > my.qry.DNS.svr.domain: 24067+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.878628 IP 10.x.x.40.46857 > my.qry.DNS.svr.domain: 52359+ A? bro03.....cornell.edu. (46) 12:10:02.878862 IP 10.x.x.50.38168 > my.qry.DNS.svr.domain: 695+ A? bromgr.....cornell.edu. (47) 12:10:02.879873 IP 10.x.x.40.45681 > my.qry.DNS.svr.domain: 52780+ A? bro03.....cornell.edu. (46) 12:10:02.879888 IP 10.x.x.40.45681 > my.qry.DNS.svr.domain: 42204+ AAAA? bro03.....cornell.edu. (46) 12:10:02.879894 IP 10.x.x.40.49723 > my.qry.DNS.svr.domain: 19136+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.880600 IP 10.x.x.40.37778 > my.qry.DNS.svr.domain: 63084+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.880838 IP 10.x.x.40.37460 > my.qry.DNS.svr.domain: 30758+ A? bro03.....cornell.edu. (46) 12:10:02.881841 IP 10.x.x.40.39606 > my.qry.DNS.svr.domain: 43110+ A? bro03.....cornell.edu. (46) 12:10:02.881863 IP 10.x.x.40.39606 > my.qry.DNS.svr.domain: 53866+ AAAA? bro03.....cornell.edu. (46) 12:10:02.882069 IP 10.x.x.40.49268 > my.qry.DNS.svr.domain: 24170+ A? bro03.....cornell.edu. (46) 12:10:02.882090 IP 10.x.x.40.49268 > my.qry.DNS.svr.domain: 28854+ AAAA? bro03.....cornell.edu. (46) 12:10:02.882822 IP 10.x.x.40.46942 > my.qry.DNS.svr.domain: 28240+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.882841 IP 10.x.x.40.38220 > my.qry.DNS.svr.domain: 43147+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.884045 IP 10.x.x.40.55191 > my.qry.DNS.svr.domain: 43070+ A? bro03.....cornell.edu. (46) 12:10:02.884062 IP 10.x.x.40.56599 > my.qry.DNS.svr.domain: 22516+ A? bro03.....cornell.edu. (46) 12:10:02.884067 IP 10.x.x.40.55191 > my.qry.DNS.svr.domain: 58935+ AAAA? bro03.....cornell.edu. (46) 12:10:02.884074 IP 10.x.x.40.56599 > my.qry.DNS.svr.domain: 14952+ AAAA? bro03.....cornell.edu. (46) 12:10:02.884775 IP 10.x.x.40.40233 > my.qry.DNS.svr.domain: 43295+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.884793 IP 10.x.x.40.41171 > my.qry.DNS.svr.domain: 54611+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.885765 IP 10.x.x.40.38604 > my.qry.DNS.svr.domain: 46074+ A? bro03.....cornell.edu. (46) 12:10:02.885787 IP 10.x.x.40.38604 > my.qry.DNS.svr.domain: 41440+ AAAA? bro03.....cornell.edu. (46) 12:10:02.886008 IP 10.x.x.40.44986 > my.qry.DNS.svr.domain: 16450+ A? bro03.....cornell.edu. (46) 12:10:02.886026 IP 10.x.x.40.44986 > my.qry.DNS.svr.domain: 56123+ AAAA? bro03.....cornell.edu. (46) 12:10:02.886483 IP 10.x.x.40.46181 > my.qry.DNS.svr.domain: 39905+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.886743 IP 10.x.x.40.60240 > my.qry.DNS.svr.domain: 62747+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.887970 IP 10.x.x.40.41328 > my.qry.DNS.svr.domain: 57194+ A? bro03.....cornell.edu. (46) 12:10:02.887990 IP 10.x.x.40.41328 > my.qry.DNS.svr.domain: 60868+ AAAA? bro03.....cornell.edu. (46) 12:10:02.888708 IP 10.x.x.40.60198 > my.qry.DNS.svr.domain: 12211+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.891884 IP 10.x.x.50.59514 > my.qry.DNS.svr.domain: 23992+ A? bromgr.....cornell.edu. (47) 12:10:02.891896 IP 10.x.x.50.59514 > my.qry.DNS.svr.domain: 36474+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.893874 IP 10.x.x.50.37144 > my.qry.DNS.svr.domain: 2837+ A? bromgr.....cornell.edu. (47) 12:10:02.893887 IP 10.x.x.50.37144 > my.qry.DNS.svr.domain: 39549+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.893892 IP 10.x.x.50.55831 > my.qry.DNS.svr.domain: 22574+ A? bromgr.....cornell.edu. (47) 12:10:02.893898 IP 10.x.x.50.55831 > my.qry.DNS.svr.domain: 51179+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.895338 IP 10.x.x.50.50945 > my.qry.DNS.svr.domain: 6854+ A? bromgr.....cornell.edu. (47) 12:10:02.895357 IP 10.x.x.50.50945 > my.qry.DNS.svr.domain: 1193+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.895366 IP 10.x.x.50.60642 > my.qry.DNS.svr.domain: 43841+ A? bromgr.....cornell.edu. (47) 12:10:02.895374 IP 10.x.x.50.60642 > my.qry.DNS.svr.domain: 33037+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.896327 IP 10.x.x.50.49589 > my.qry.DNS.svr.domain: 17693+ A? bromgr.....cornell.edu. (47) 12:10:02.896344 IP 10.x.x.50.49589 > my.qry.DNS.svr.domain: 2103+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.897293 IP 10.x.x.50.41560 > my.qry.DNS.svr.domain: 13261+ A? bromgr.....cornell.edu. (47) 12:10:02.897316 IP 10.x.x.50.41560 > my.qry.DNS.svr.domain: 42773+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.897795 IP 10.x.x.50.55115 > my.qry.DNS.svr.domain: 57285+ A? bromgr.....cornell.edu. (47) 12:10:02.897818 IP 10.x.x.50.55115 > my.qry.DNS.svr.domain: 60011+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.898773 IP 10.x.x.50.51094 > my.qry.DNS.svr.domain: 12997+ A? bromgr.....cornell.edu. (47) 12:10:02.898790 IP 10.x.x.50.51094 > my.qry.DNS.svr.domain: 27369+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.899017 IP 10.x.x.50.51178 > my.qry.DNS.svr.domain: 7291+ A? bromgr.....cornell.edu. (47) 12:10:02.899035 IP 10.x.x.50.51178 > my.qry.DNS.svr.domain: 36038+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.899758 IP 10.x.x.50.54361 > my.qry.DNS.svr.domain: 11333+ A? bromgr.....cornell.edu. (47) 12:10:02.899773 IP 10.x.x.50.54361 > my.qry.DNS.svr.domain: 462+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.900028 IP 10.x.x.50.44653 > my.qry.DNS.svr.domain: 54017+ A? bromgr.....cornell.edu. (47) 12:10:02.900046 IP 10.x.x.50.44653 > my.qry.DNS.svr.domain: 15650+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.902962 IP 10.x.x.50.47545 > my.qry.DNS.svr.domain: 192+ A? bromgr.....cornell.edu. (47) 12:10:02.902985 IP 10.x.x.50.47545 > my.qry.DNS.svr.domain: 44220+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.904200 IP 10.x.x.50.49849 > my.qry.DNS.svr.domain: 32627+ A? bromgr.....cornell.edu. (47) 12:10:02.904220 IP 10.x.x.50.49849 > my.qry.DNS.svr.domain: 43828+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.905174 IP 10.x.x.50.43687 > my.qry.DNS.svr.domain: 15384+ A? bromgr.....cornell.edu. (47) 12:10:02.905192 IP 10.x.x.50.43687 > my.qry.DNS.svr.domain: 37637+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.905896 IP 10.x.x.50.48106 > my.qry.DNS.svr.domain: 64143+ A? bromgr.....cornell.edu. (47) 12:10:02.905908 IP 10.x.x.50.48106 > my.qry.DNS.svr.domain: 9249+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.909111 IP 10.x.x.40.57889 > my.qry.DNS.svr.domain: 91+ A? bro03.....cornell.edu. (46) 12:10:02.909127 IP 10.x.x.40.57889 > my.qry.DNS.svr.domain: 35490+ AAAA? bro03.....cornell.edu. (46) 12:10:02.910335 IP 10.x.x.40.35079 > my.qry.DNS.svr.domain: 64022+ A? bro03.....cornell.edu. (46) 12:10:02.910351 IP 10.x.x.40.35079 > my.qry.DNS.svr.domain: 15642+ AAAA? bro03.....cornell.edu. (46) 12:10:02.914257 IP 10.x.x.50.44700 > my.qry.DNS.svr.domain: 54374+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.914986 IP 10.x.x.50.37917 > my.qry.DNS.svr.domain: 52946+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.915256 IP 10.x.x.50.43885 > my.qry.DNS.svr.domain: 5655+ A? bromgr.....cornell.edu. (47) 12:10:02.916221 IP 10.x.x.50.41555 > my.qry.DNS.svr.domain: 49931+ A? bromgr.....cornell.edu. (47) 12:10:02.960955 IP 10.x.x.50.36927 > my.qry.DNS.svr.domain: 5802+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.962183 IP 10.x.x.50.43320 > my.qry.DNS.svr.domain: 294+ A? bromgr.....cornell.edu. (47) 12:10:02.962203 IP 10.x.x.50.45842 > my.qry.DNS.svr.domain: 55644+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.963159 IP 10.x.x.50.37674 > my.qry.DNS.svr.domain: 33164+ A? bromgr.....cornell.edu. (47) 12:10:02.963418 IP 10.x.x.40.50591 > my.qry.DNS.svr.domain: 56562+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.964145 IP 10.x.x.40.51267 > my.qry.DNS.svr.domain: 13613+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.964408 IP 10.x.x.40.54965 > my.qry.DNS.svr.domain: 60476+ A? bro03.....cornell.edu. (46) 12:10:02.964914 IP 10.x.x.40.42025 > my.qry.DNS.svr.domain: 34234+ A? bro03.....cornell.edu. (46) 12:10:02.965386 IP 10.x.x.40.40902 > my.qry.DNS.svr.domain: 9294+ A? bro03.....cornell.edu. (46) 12:10:02.965403 IP 10.x.x.40.40902 > my.qry.DNS.svr.domain: 47207+ AAAA? bro03.....cornell.edu. (46) 12:10:02.965894 IP 10.x.x.40.36712 > my.qry.DNS.svr.domain: 53509+ A? bro03.....cornell.edu. (46) 12:10:02.965914 IP 10.x.x.40.36712 > my.qry.DNS.svr.domain: 51545+ AAAA? bro03.....cornell.edu. (46) 12:10:02.966122 IP 10.x.x.40.36294 > my.qry.DNS.svr.domain: 58600+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.966612 IP 10.x.x.40.39536 > my.qry.DNS.svr.domain: 54716+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.967373 IP 10.x.x.40.48796 > my.qry.DNS.svr.domain: 47309+ A? bro03.....cornell.edu. (46) 12:10:02.967394 IP 10.x.x.40.48796 > my.qry.DNS.svr.domain: 56506+ AAAA? bro03.....cornell.edu. (46) 12:10:02.967848 IP 10.x.x.40.50238 > my.qry.DNS.svr.domain: 50528+ A? bro03.....cornell.edu. (46) 12:10:02.967866 IP 10.x.x.40.50238 > my.qry.DNS.svr.domain: 25868+ AAAA? bro03.....cornell.edu. (46) 12:10:02.968077 IP 10.x.x.40.43126 > my.qry.DNS.svr.domain: 50276+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.968579 IP 10.x.x.40.49265 > my.qry.DNS.svr.domain: 48122+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.969091 IP 10.x.x.40.41093 > my.qry.DNS.svr.domain: 61962+ A? bro03.....cornell.edu. (46) 12:10:02.969110 IP 10.x.x.40.41093 > my.qry.DNS.svr.domain: 47289+ AAAA? bro03.....cornell.edu. (46) 12:10:02.969560 IP 10.x.x.40.34303 > my.qry.DNS.svr.domain: 30119+ A? bro03.....cornell.edu. (46) 12:10:02.969576 IP 10.x.x.40.34303 > my.qry.DNS.svr.domain: 10076+ AAAA? bro03.....cornell.edu. (46) 12:10:02.969821 IP 10.x.x.40.40244 > my.qry.DNS.svr.domain: 24318+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.970297 IP 10.x.x.40.49582 > my.qry.DNS.svr.domain: 7520+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.971044 IP 10.x.x.40.45973 > my.qry.DNS.svr.domain: 45087+ A? bro03.....cornell.edu. (46) 12:10:02.971067 IP 10.x.x.40.45973 > my.qry.DNS.svr.domain: 47689+ AAAA? bro03.....cornell.edu. (46) 12:10:02.971773 IP 10.x.x.40.40072 > my.qry.DNS.svr.domain: 49001+ A? bro03.....cornell.edu. (46) 12:10:02.971787 IP 10.x.x.40.40072 > my.qry.DNS.svr.domain: 36219+ AAAA? bro03.....cornell.edu. (46) 12:10:02.971797 IP 10.x.x.40.60670 > my.qry.DNS.svr.domain: 12503+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.972513 IP 10.x.x.40.41745 > my.qry.DNS.svr.domain: 60365+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:02.977674 IP 10.x.x.50.41334 > my.qry.DNS.svr.domain: 18137+ A? bromgr.....cornell.edu. (47) 12:10:02.977688 IP 10.x.x.50.41334 > my.qry.DNS.svr.domain: 42144+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.978175 IP 10.x.x.50.49014 > my.qry.DNS.svr.domain: 51854+ A? bromgr.....cornell.edu. (47) 12:10:02.978191 IP 10.x.x.50.49014 > my.qry.DNS.svr.domain: 44186+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.979388 IP 10.x.x.50.48149 > my.qry.DNS.svr.domain: 31753+ A? bromgr.....cornell.edu. (47) 12:10:02.979401 IP 10.x.x.50.48149 > my.qry.DNS.svr.domain: 9084+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.979884 IP 10.x.x.50.49872 > my.qry.DNS.svr.domain: 58680+ A? bromgr.....cornell.edu. (47) 12:10:02.979898 IP 10.x.x.50.49872 > my.qry.DNS.svr.domain: 7391+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.980614 IP 10.x.x.50.42012 > my.qry.DNS.svr.domain: 40126+ A? bromgr.....cornell.edu. (47) 12:10:02.980631 IP 10.x.x.50.42012 > my.qry.DNS.svr.domain: 32779+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.980856 IP 10.x.x.50.35456 > my.qry.DNS.svr.domain: 63585+ A? bromgr.....cornell.edu. (47) 12:10:02.980876 IP 10.x.x.50.35456 > my.qry.DNS.svr.domain: 5615+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.982340 IP 10.x.x.50.33405 > my.qry.DNS.svr.domain: 30506+ A? bromgr.....cornell.edu. (47) 12:10:02.982354 IP 10.x.x.50.33405 > my.qry.DNS.svr.domain: 58239+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.982359 IP 10.x.x.50.59043 > my.qry.DNS.svr.domain: 2731+ A? bromgr.....cornell.edu. (47) 12:10:02.982365 IP 10.x.x.50.59043 > my.qry.DNS.svr.domain: 51570+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.983557 IP 10.x.x.50.47669 > my.qry.DNS.svr.domain: 18306+ A? bromgr.....cornell.edu. (47) 12:10:02.983569 IP 10.x.x.50.47669 > my.qry.DNS.svr.domain: 28957+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.983807 IP 10.x.x.50.51130 > my.qry.DNS.svr.domain: 44471+ A? bromgr.....cornell.edu. (47) 12:10:02.983818 IP 10.x.x.50.51130 > my.qry.DNS.svr.domain: 8558+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.984794 IP 10.x.x.50.46624 > my.qry.DNS.svr.domain: 60899+ A? bromgr.....cornell.edu. (47) 12:10:02.984808 IP 10.x.x.50.46624 > my.qry.DNS.svr.domain: 43700+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.984814 IP 10.x.x.50.54564 > my.qry.DNS.svr.domain: 46858+ A? bromgr.....cornell.edu. (47) 12:10:02.984820 IP 10.x.x.50.54564 > my.qry.DNS.svr.domain: 38065+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.987755 IP 10.x.x.50.33481 > my.qry.DNS.svr.domain: 11450+ A? bromgr.....cornell.edu. (47) 12:10:02.987773 IP 10.x.x.50.33481 > my.qry.DNS.svr.domain: 30665+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.988723 IP 10.x.x.50.47286 > my.qry.DNS.svr.domain: 37610+ A? bromgr.....cornell.edu. (47) 12:10:02.988741 IP 10.x.x.50.47286 > my.qry.DNS.svr.domain: 13078+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.989707 IP 10.x.x.50.49141 > my.qry.DNS.svr.domain: 8027+ A? bromgr.....cornell.edu. (47) 12:10:02.989728 IP 10.x.x.50.49141 > my.qry.DNS.svr.domain: 55977+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.990444 IP 10.x.x.50.51425 > my.qry.DNS.svr.domain: 42102+ A? bromgr.....cornell.edu. (47) 12:10:02.990464 IP 10.x.x.50.51425 > my.qry.DNS.svr.domain: 18762+ AAAA? bromgr.....cornell.edu. (47) 12:10:02.993899 IP 10.x.x.40.44386 > my.qry.DNS.svr.domain: 54161+ A? bro03.....cornell.edu. (46) 12:10:02.993918 IP 10.x.x.40.44386 > my.qry.DNS.svr.domain: 4623+ AAAA? bro03.....cornell.edu. (46) 12:10:02.994881 IP 10.x.x.40.47377 > my.qry.DNS.svr.domain: 7255+ A? bro03.....cornell.edu. (46) 12:10:02.994895 IP 10.x.x.40.47377 > my.qry.DNS.svr.domain: 36761+ AAAA? bro03.....cornell.edu. (46) 12:10:02.999041 IP 10.x.x.50.36057 > my.qry.DNS.svr.domain: 46592+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:02.999777 IP 10.x.x.50.39059 > my.qry.DNS.svr.domain: 64754+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.000277 IP 10.x.x.50.57834 > my.qry.DNS.svr.domain: 16588+ A? bromgr.....cornell.edu. (47) 12:10:03.001004 IP 10.x.x.50.49289 > my.qry.DNS.svr.domain: 51135+ A? bromgr.....cornell.edu. (47) 12:10:03.045984 IP 10.x.x.50.58808 > my.qry.DNS.svr.domain: 47880+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.046001 IP 10.x.x.50.50640 > my.qry.DNS.svr.domain: 36348+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.046720 IP 10.x.x.50.59480 > my.qry.DNS.svr.domain: 17434+ A? bromgr.....cornell.edu. (47) 12:10:03.046969 IP 10.x.x.50.46451 > my.qry.DNS.svr.domain: 36173+ A? bromgr.....cornell.edu. (47) 12:10:03.047958 IP 10.x.x.40.56450 > my.qry.DNS.svr.domain: 18444+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.048217 IP 10.x.x.40.57335 > my.qry.DNS.svr.domain: 36020+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.048694 IP 10.x.x.40.41441 > my.qry.DNS.svr.domain: 14873+ A? bro03.....cornell.edu. (46) 12:10:03.048967 IP 10.x.x.40.60020 > my.qry.DNS.svr.domain: 9191+ A? bro03.....cornell.edu. (46) 12:10:03.049930 IP 10.x.x.40.53496 > my.qry.DNS.svr.domain: 44726+ A? bro03.....cornell.edu. (46) 12:10:03.049946 IP 10.x.x.40.53496 > my.qry.DNS.svr.domain: 28047+ AAAA? bro03.....cornell.edu. (46) 12:10:03.049953 IP 10.x.x.40.55081 > my.qry.DNS.svr.domain: 52676+ A? bro03.....cornell.edu. (46) 12:10:03.049961 IP 10.x.x.40.55081 > my.qry.DNS.svr.domain: 5245+ AAAA? bro03.....cornell.edu. (46) 12:10:03.050671 IP 10.x.x.40.47253 > my.qry.DNS.svr.domain: 18627+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.050689 IP 10.x.x.40.45058 > my.qry.DNS.svr.domain: 35529+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.051909 IP 10.x.x.40.37153 > my.qry.DNS.svr.domain: 5063+ A? bro03.....cornell.edu. (46) 12:10:03.051930 IP 10.x.x.40.37153 > my.qry.DNS.svr.domain: 58069+ AAAA? bro03.....cornell.edu. (46) 12:10:03.052138 IP 10.x.x.40.45027 > my.qry.DNS.svr.domain: 35180+ A? bro03.....cornell.edu. (46) 12:10:03.052152 IP 10.x.x.40.45027 > my.qry.DNS.svr.domain: 38941+ AAAA? bro03.....cornell.edu. (46) 12:10:03.052876 IP 10.x.x.40.49297 > my.qry.DNS.svr.domain: 13737+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.053122 IP 10.x.x.40.60001 > my.qry.DNS.svr.domain: 7860+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.054121 IP 10.x.x.40.40959 > my.qry.DNS.svr.domain: 39982+ A? bro03.....cornell.edu. (46) 12:10:03.054143 IP 10.x.x.40.40959 > my.qry.DNS.svr.domain: 12223+ AAAA? bro03.....cornell.edu. (46) 12:10:03.054591 IP 10.x.x.40.38300 > my.qry.DNS.svr.domain: 37940+ A? bro03.....cornell.edu. (46) 12:10:03.054606 IP 10.x.x.40.38300 > my.qry.DNS.svr.domain: 63165+ AAAA? bro03.....cornell.edu. (46) 12:10:03.054837 IP 10.x.x.40.48781 > my.qry.DNS.svr.domain: 1747+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.055333 IP 10.x.x.40.58024 > my.qry.DNS.svr.domain: 11436+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.056319 IP 10.x.x.40.40032 > my.qry.DNS.svr.domain: 58384+ A? bro03.....cornell.edu. (46) 12:10:03.056346 IP 10.x.x.40.40032 > my.qry.DNS.svr.domain: 23129+ AAAA? bro03.....cornell.edu. (46) 12:10:03.056572 IP 10.x.x.40.37300 > my.qry.DNS.svr.domain: 22099+ A? bro03.....cornell.edu. (46) 12:10:03.056588 IP 10.x.x.40.37300 > my.qry.DNS.svr.domain: 57349+ AAAA? bro03.....cornell.edu. (46) 12:10:03.057301 IP 10.x.x.40.39848 > my.qry.DNS.svr.domain: 4174+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.057317 IP 10.x.x.40.53229 > my.qry.DNS.svr.domain: 10053+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.061475 IP 10.x.x.50.49126 > my.qry.DNS.svr.domain: 35310+ A? bromgr.....cornell.edu. (47) 12:10:03.061490 IP 10.x.x.50.49126 > my.qry.DNS.svr.domain: 16594+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.061496 IP 10.x.x.50.42422 > my.qry.DNS.svr.domain: 64545+ A? bromgr.....cornell.edu. (47) 12:10:03.061501 IP 10.x.x.50.42422 > my.qry.DNS.svr.domain: 16645+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.063198 IP 10.x.x.50.52495 > my.qry.DNS.svr.domain: 383+ A? bromgr.....cornell.edu. (47) 12:10:03.063211 IP 10.x.x.50.41627 > my.qry.DNS.svr.domain: 8588+ A? bromgr.....cornell.edu. (47) 12:10:03.063217 IP 10.x.x.50.52495 > my.qry.DNS.svr.domain: 54069+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.063222 IP 10.x.x.50.41627 > my.qry.DNS.svr.domain: 57884+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.064171 IP 10.x.x.50.45425 > my.qry.DNS.svr.domain: 42980+ A? bromgr.....cornell.edu. (47) 12:10:03.064185 IP 10.x.x.50.45425 > my.qry.DNS.svr.domain: 36790+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.064668 IP 10.x.x.50.48177 > my.qry.DNS.svr.domain: 344+ A? bromgr.....cornell.edu. (47) 12:10:03.064680 IP 10.x.x.50.48177 > my.qry.DNS.svr.domain: 12163+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.065645 IP 10.x.x.50.33817 > my.qry.DNS.svr.domain: 11540+ A? bromgr.....cornell.edu. (47) 12:10:03.065658 IP 10.x.x.50.33817 > my.qry.DNS.svr.domain: 12682+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.066150 IP 10.x.x.50.53850 > my.qry.DNS.svr.domain: 10940+ A? bromgr.....cornell.edu. (47) 12:10:03.066165 IP 10.x.x.50.53850 > my.qry.DNS.svr.domain: 15128+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.066877 IP 10.x.x.50.35645 > my.qry.DNS.svr.domain: 12184+ A? bromgr.....cornell.edu. (47) 12:10:03.066893 IP 10.x.x.50.35645 > my.qry.DNS.svr.domain: 26752+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.067378 IP 10.x.x.50.56428 > my.qry.DNS.svr.domain: 17711+ A? bromgr.....cornell.edu. (47) 12:10:03.067395 IP 10.x.x.50.56428 > my.qry.DNS.svr.domain: 11494+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.067610 IP 10.x.x.50.45448 > my.qry.DNS.svr.domain: 46242+ A? bromgr.....cornell.edu. (47) 12:10:03.067626 IP 10.x.x.50.45448 > my.qry.DNS.svr.domain: 37838+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.068107 IP 10.x.x.50.58028 > my.qry.DNS.svr.domain: 34813+ A? bromgr.....cornell.edu. (47) 12:10:03.068128 IP 10.x.x.50.58028 > my.qry.DNS.svr.domain: 46623+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.071060 IP 10.x.x.50.45367 > my.qry.DNS.svr.domain: 51371+ A? bromgr.....cornell.edu. (47) 12:10:03.071076 IP 10.x.x.50.45367 > my.qry.DNS.svr.domain: 1092+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.071788 IP 10.x.x.50.47619 > my.qry.DNS.svr.domain: 30340+ A? bromgr.....cornell.edu. (47) 12:10:03.071802 IP 10.x.x.50.47619 > my.qry.DNS.svr.domain: 42188+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.073031 IP 10.x.x.50.55151 > my.qry.DNS.svr.domain: 2202+ A? bromgr.....cornell.edu. (47) 12:10:03.073048 IP 10.x.x.50.55151 > my.qry.DNS.svr.domain: 4210+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.073770 IP 10.x.x.50.37366 > my.qry.DNS.svr.domain: 45948+ A? bromgr.....cornell.edu. (47) 12:10:03.073785 IP 10.x.x.50.37366 > my.qry.DNS.svr.domain: 52622+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.076714 IP 10.x.x.40.46934 > my.qry.DNS.svr.domain: 50977+ A? bro03.....cornell.edu. (46) 12:10:03.076734 IP 10.x.x.40.46934 > my.qry.DNS.svr.domain: 12347+ AAAA? bro03.....cornell.edu. (46) 12:10:03.079416 IP 10.x.x.40.43970 > my.qry.DNS.svr.domain: 11244+ A? bro03.....cornell.edu. (46) 12:10:03.079436 IP 10.x.x.40.43970 > my.qry.DNS.svr.domain: 16336+ AAAA? bro03.....cornell.edu. (46) 12:10:03.081873 IP 10.x.x.50.44682 > my.qry.DNS.svr.domain: 3981+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.082836 IP 10.x.x.50.49434 > my.qry.DNS.svr.domain: 57599+ A? bromgr.....cornell.edu. (47) 12:10:03.084593 IP 10.x.x.50.46498 > my.qry.DNS.svr.domain: 41186+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.085558 IP 10.x.x.50.51400 > my.qry.DNS.svr.domain: 19050+ A? bromgr.....cornell.edu. (47) 12:10:03.128073 IP 10.x.x.50.40127 > my.qry.DNS.svr.domain: 26139+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.129312 IP 10.x.x.50.34665 > my.qry.DNS.svr.domain: 50337+ A? bromgr.....cornell.edu. (47) 12:10:03.130782 IP 10.x.x.40.40347 > my.qry.DNS.svr.domain: 11568+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.131008 IP 10.x.x.50.56577 > my.qry.DNS.svr.domain: 58851+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.131524 IP 10.x.x.40.44650 > my.qry.DNS.svr.domain: 23035+ A? bro03.....cornell.edu. (46) 12:10:03.132001 IP 10.x.x.50.56035 > my.qry.DNS.svr.domain: 50670+ A? bromgr.....cornell.edu. (47) 12:10:03.132506 IP 10.x.x.40.48554 > my.qry.DNS.svr.domain: 43574+ A? bro03.....cornell.edu. (46) 12:10:03.132520 IP 10.x.x.40.48554 > my.qry.DNS.svr.domain: 63356+ AAAA? bro03.....cornell.edu. (46) 12:10:03.132992 IP 10.x.x.40.33790 > my.qry.DNS.svr.domain: 26624+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.133265 IP 10.x.x.40.43594 > my.qry.DNS.svr.domain: 4303+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.133994 IP 10.x.x.40.49666 > my.qry.DNS.svr.domain: 34384+ A? bro03.....cornell.edu. (46) 12:10:03.134734 IP 10.x.x.40.46450 > my.qry.DNS.svr.domain: 41649+ A? bro03.....cornell.edu. (46) 12:10:03.134743 IP 10.x.x.40.46450 > my.qry.DNS.svr.domain: 27804+ AAAA? bro03.....cornell.edu. (46) 12:10:03.134968 IP 10.x.x.40.48854 > my.qry.DNS.svr.domain: 52278+ A? bro03.....cornell.edu. (46) 12:10:03.134991 IP 10.x.x.40.48854 > my.qry.DNS.svr.domain: 24101+ AAAA? bro03.....cornell.edu. (46) 12:10:03.135446 IP 10.x.x.40.46214 > my.qry.DNS.svr.domain: 57038+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.135941 IP 10.x.x.40.38062 > my.qry.DNS.svr.domain: 19580+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.136926 IP 10.x.x.40.55694 > my.qry.DNS.svr.domain: 64095+ A? bro03.....cornell.edu. (46) 12:10:03.136941 IP 10.x.x.40.55694 > my.qry.DNS.svr.domain: 55037+ AAAA? bro03.....cornell.edu. (46) 12:10:03.137177 IP 10.x.x.40.50350 > my.qry.DNS.svr.domain: 11337+ A? bro03.....cornell.edu. (46) 12:10:03.137193 IP 10.x.x.40.50350 > my.qry.DNS.svr.domain: 22559+ AAAA? bro03.....cornell.edu. (46) 12:10:03.137675 IP 10.x.x.40.60161 > my.qry.DNS.svr.domain: 24146+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.138154 IP 10.x.x.40.37527 > my.qry.DNS.svr.domain: 63704+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.138669 IP 10.x.x.40.33904 > my.qry.DNS.svr.domain: 58770+ A? bro03.....cornell.edu. (46) 12:10:03.138695 IP 10.x.x.40.33904 > my.qry.DNS.svr.domain: 46302+ AAAA? bro03.....cornell.edu. (46) 12:10:03.139148 IP 10.x.x.40.44104 > my.qry.DNS.svr.domain: 47915+ A? bro03.....cornell.edu. (46) 12:10:03.139172 IP 10.x.x.40.44104 > my.qry.DNS.svr.domain: 28295+ AAAA? bro03.....cornell.edu. (46) 12:10:03.139387 IP 10.x.x.40.57822 > my.qry.DNS.svr.domain: 34714+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.139878 IP 10.x.x.40.39452 > my.qry.DNS.svr.domain: 38237+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.141106 IP 10.x.x.40.51046 > my.qry.DNS.svr.domain: 8202+ A? bro03.....cornell.edu. (46) 12:10:03.141132 IP 10.x.x.40.51046 > my.qry.DNS.svr.domain: 35777+ AAAA? bro03.....cornell.edu. (46) 12:10:03.142100 IP 10.x.x.40.37636 > my.qry.DNS.svr.domain: 22267+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.144295 IP 10.x.x.50.57999 > my.qry.DNS.svr.domain: 21386+ A? bromgr.....cornell.edu. (47) 12:10:03.144307 IP 10.x.x.50.57999 > my.qry.DNS.svr.domain: 41092+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.146258 IP 10.x.x.50.38543 > my.qry.DNS.svr.domain: 57480+ A? bromgr.....cornell.edu. (47) 12:10:03.146271 IP 10.x.x.50.38543 > my.qry.DNS.svr.domain: 13463+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.146514 IP 10.x.x.50.48013 > my.qry.DNS.svr.domain: 4935+ A? bromgr.....cornell.edu. (47) 12:10:03.146528 IP 10.x.x.50.48013 > my.qry.DNS.svr.domain: 49321+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.147490 IP 10.x.x.50.48061 > my.qry.DNS.svr.domain: 33219+ A? bromgr.....cornell.edu. (47) 12:10:03.147506 IP 10.x.x.50.48061 > my.qry.DNS.svr.domain: 55801+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.148003 IP 10.x.x.50.53343 > my.qry.DNS.svr.domain: 65020+ A? bromgr.....cornell.edu. (47) 12:10:03.148018 IP 10.x.x.50.53343 > my.qry.DNS.svr.domain: 61017+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.148957 IP 10.x.x.50.55172 > my.qry.DNS.svr.domain: 53150+ A? bromgr.....cornell.edu. (47) 12:10:03.148969 IP 10.x.x.50.55172 > my.qry.DNS.svr.domain: 52717+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.149209 IP 10.x.x.50.32964 > my.qry.DNS.svr.domain: 58823+ A? bromgr.....cornell.edu. (47) 12:10:03.149220 IP 10.x.x.50.32964 > my.qry.DNS.svr.domain: 4281+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.150440 IP 10.x.x.50.55089 > my.qry.DNS.svr.domain: 24269+ A? bromgr.....cornell.edu. (47) 12:10:03.150462 IP 10.x.x.50.55089 > my.qry.DNS.svr.domain: 24513+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.150703 IP 10.x.x.50.56674 > my.qry.DNS.svr.domain: 64200+ A? bromgr.....cornell.edu. (47) 12:10:03.150716 IP 10.x.x.50.56674 > my.qry.DNS.svr.domain: 7331+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.151658 IP 10.x.x.50.49414 > my.qry.DNS.svr.domain: 38654+ A? bromgr.....cornell.edu. (47) 12:10:03.151670 IP 10.x.x.50.49414 > my.qry.DNS.svr.domain: 20068+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.151913 IP 10.x.x.50.51173 > my.qry.DNS.svr.domain: 38505+ A? bromgr.....cornell.edu. (47) 12:10:03.151925 IP 10.x.x.50.51173 > my.qry.DNS.svr.domain: 47853+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.152667 IP 10.x.x.50.42366 > my.qry.DNS.svr.domain: 35083+ A? bromgr.....cornell.edu. (47) 12:10:03.152679 IP 10.x.x.50.42366 > my.qry.DNS.svr.domain: 25905+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.155597 IP 10.x.x.50.51509 > my.qry.DNS.svr.domain: 28816+ A? bromgr.....cornell.edu. (47) 12:10:03.155614 IP 10.x.x.50.51509 > my.qry.DNS.svr.domain: 6392+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.156568 IP 10.x.x.50.60832 > my.qry.DNS.svr.domain: 19893+ A? bromgr.....cornell.edu. (47) 12:10:03.156580 IP 10.x.x.50.60832 > my.qry.DNS.svr.domain: 12157+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.157561 IP 10.x.x.50.39128 > my.qry.DNS.svr.domain: 46756+ A? bromgr.....cornell.edu. (47) 12:10:03.157574 IP 10.x.x.50.39128 > my.qry.DNS.svr.domain: 6871+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.158543 IP 10.x.x.50.55170 > my.qry.DNS.svr.domain: 43329+ A? bromgr.....cornell.edu. (47) 12:10:03.158553 IP 10.x.x.50.55170 > my.qry.DNS.svr.domain: 51126+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.161491 IP 10.x.x.40.43002 > my.qry.DNS.svr.domain: 6743+ A? bro03.....cornell.edu. (46) 12:10:03.161508 IP 10.x.x.40.43002 > my.qry.DNS.svr.domain: 8346+ AAAA? bro03.....cornell.edu. (46) 12:10:03.162508 IP 10.x.x.40.57574 > my.qry.DNS.svr.domain: 10251+ A? bro03.....cornell.edu. (46) 12:10:03.162528 IP 10.x.x.40.57574 > my.qry.DNS.svr.domain: 59136+ AAAA? bro03.....cornell.edu. (46) 12:10:03.166653 IP 10.x.x.50.58455 > my.qry.DNS.svr.domain: 60615+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.167166 IP 10.x.x.50.51498 > my.qry.DNS.svr.domain: 64442+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.167626 IP 10.x.x.50.42336 > my.qry.DNS.svr.domain: 41041+ A? bromgr.....cornell.edu. (47) 12:10:03.167886 IP 10.x.x.50.60343 > my.qry.DNS.svr.domain: 41447+ A? bromgr.....cornell.edu. (47) 12:10:03.212854 IP 10.x.x.50.39545 > my.qry.DNS.svr.domain: 62584+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.213096 IP 10.x.x.50.53761 > my.qry.DNS.svr.domain: 44684+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.213834 IP 10.x.x.50.43898 > my.qry.DNS.svr.domain: 9528+ A? bromgr.....cornell.edu. (47) 12:10:03.213854 IP 10.x.x.50.54654 > my.qry.DNS.svr.domain: 31195+ A? bromgr.....cornell.edu. (47) 12:10:03.215074 IP 10.x.x.40.60747 > my.qry.DNS.svr.domain: 56464+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.215349 IP 10.x.x.40.56433 > my.qry.DNS.svr.domain: 43771+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.215821 IP 10.x.x.40.37422 > my.qry.DNS.svr.domain: 2648+ A? bro03.....cornell.edu. (46) 12:10:03.216054 IP 10.x.x.40.41773 > my.qry.DNS.svr.domain: 3135+ A? bro03.....cornell.edu. (46) 12:10:03.217060 IP 10.x.x.40.34479 > my.qry.DNS.svr.domain: 51139+ A? bro03.....cornell.edu. (46) 12:10:03.217078 IP 10.x.x.40.57195 > my.qry.DNS.svr.domain: 31784+ A? bro03.....cornell.edu. (46) 12:10:03.217084 IP 10.x.x.40.34479 > my.qry.DNS.svr.domain: 16979+ AAAA? bro03.....cornell.edu. (46) 12:10:03.217089 IP 10.x.x.40.57195 > my.qry.DNS.svr.domain: 41473+ AAAA? bro03.....cornell.edu. (46) 12:10:03.217790 IP 10.x.x.40.44428 > my.qry.DNS.svr.domain: 23005+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.217808 IP 10.x.x.40.38566 > my.qry.DNS.svr.domain: 16557+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.219016 IP 10.x.x.40.37878 > my.qry.DNS.svr.domain: 56492+ A? bro03.....cornell.edu. (46) 12:10:03.219038 IP 10.x.x.40.37878 > my.qry.DNS.svr.domain: 9400+ AAAA? bro03.....cornell.edu. (46) 12:10:03.219530 IP 10.x.x.40.40764 > my.qry.DNS.svr.domain: 16316+ A? bro03.....cornell.edu. (46) 12:10:03.219551 IP 10.x.x.40.40764 > my.qry.DNS.svr.domain: 11686+ AAAA? bro03.....cornell.edu. (46) 12:10:03.219743 IP 10.x.x.40.35477 > my.qry.DNS.svr.domain: 13351+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.220486 IP 10.x.x.40.34885 > my.qry.DNS.svr.domain: 12039+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.220729 IP 10.x.x.40.53283 > my.qry.DNS.svr.domain: 43152+ A? bro03.....cornell.edu. (46) 12:10:03.220745 IP 10.x.x.40.53283 > my.qry.DNS.svr.domain: 1027+ AAAA? bro03.....cornell.edu. (46) 12:10:03.221467 IP 10.x.x.40.36425 > my.qry.DNS.svr.domain: 12444+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.221724 IP 10.x.x.40.41336 > my.qry.DNS.svr.domain: 25468+ A? bro03.....cornell.edu. (46) 12:10:03.221741 IP 10.x.x.40.41336 > my.qry.DNS.svr.domain: 2044+ AAAA? bro03.....cornell.edu. (46) 12:10:03.222471 IP 10.x.x.40.39945 > my.qry.DNS.svr.domain: 39729+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.222702 IP 10.x.x.40.45590 > my.qry.DNS.svr.domain: 1167+ A? bro03.....cornell.edu. (46) 12:10:03.222717 IP 10.x.x.40.45590 > my.qry.DNS.svr.domain: 7307+ AAAA? bro03.....cornell.edu. (46) 12:10:03.223687 IP 10.x.x.40.59467 > my.qry.DNS.svr.domain: 32600+ A? bro03.....cornell.edu. (46) 12:10:03.223706 IP 10.x.x.40.37112 > my.qry.DNS.svr.domain: 49360+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.223719 IP 10.x.x.40.59467 > my.qry.DNS.svr.domain: 1928+ AAAA? bro03.....cornell.edu. (46) 12:10:03.224413 IP 10.x.x.40.57222 > my.qry.DNS.svr.domain: 2885+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.229600 IP 10.x.x.50.40883 > my.qry.DNS.svr.domain: 42850+ A? bromgr.....cornell.edu. (47) 12:10:03.229624 IP 10.x.x.50.40883 > my.qry.DNS.svr.domain: 7163+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.230097 IP 10.x.x.50.55333 > my.qry.DNS.svr.domain: 26640+ A? bromgr.....cornell.edu. (47) 12:10:03.230122 IP 10.x.x.50.55333 > my.qry.DNS.svr.domain: 45553+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.231299 IP 10.x.x.50.41959 > my.qry.DNS.svr.domain: 42933+ A? bromgr.....cornell.edu. (47) 12:10:03.231317 IP 10.x.x.50.41959 > my.qry.DNS.svr.domain: 45946+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.231803 IP 10.x.x.50.43181 > my.qry.DNS.svr.domain: 47678+ A? bromgr.....cornell.edu. (47) 12:10:03.231819 IP 10.x.x.50.43181 > my.qry.DNS.svr.domain: 30613+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.232519 IP 10.x.x.50.37106 > my.qry.DNS.svr.domain: 25790+ A? bromgr.....cornell.edu. (47) 12:10:03.232534 IP 10.x.x.50.37106 > my.qry.DNS.svr.domain: 39947+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.232769 IP 10.x.x.50.32875 > my.qry.DNS.svr.domain: 56858+ A? bromgr.....cornell.edu. (47) 12:10:03.232791 IP 10.x.x.50.32875 > my.qry.DNS.svr.domain: 12202+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.234253 IP 10.x.x.50.52605 > my.qry.DNS.svr.domain: 1755+ A? bromgr.....cornell.edu. (47) 12:10:03.234272 IP 10.x.x.50.52605 > my.qry.DNS.svr.domain: 34084+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.234535 IP 10.x.x.50.56825 > my.qry.DNS.svr.domain: 7371+ A? bromgr.....cornell.edu. (47) 12:10:03.234551 IP 10.x.x.50.56825 > my.qry.DNS.svr.domain: 27054+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.235467 IP 10.x.x.50.52032 > my.qry.DNS.svr.domain: 18091+ A? bromgr.....cornell.edu. (47) 12:10:03.235483 IP 10.x.x.50.52032 > my.qry.DNS.svr.domain: 54964+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.235755 IP 10.x.x.50.47179 > my.qry.DNS.svr.domain: 29727+ A? bromgr.....cornell.edu. (47) 12:10:03.235769 IP 10.x.x.50.47179 > my.qry.DNS.svr.domain: 30013+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.236451 IP 10.x.x.50.55457 > my.qry.DNS.svr.domain: 15134+ A? bromgr.....cornell.edu. (47) 12:10:03.236467 IP 10.x.x.50.55457 > my.qry.DNS.svr.domain: 60817+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.236700 IP 10.x.x.50.46248 > my.qry.DNS.svr.domain: 54852+ A? bromgr.....cornell.edu. (47) 12:10:03.236718 IP 10.x.x.50.46248 > my.qry.DNS.svr.domain: 8279+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.239638 IP 10.x.x.50.36368 > my.qry.DNS.svr.domain: 63603+ A? bromgr.....cornell.edu. (47) 12:10:03.239653 IP 10.x.x.50.36368 > my.qry.DNS.svr.domain: 59489+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.240635 IP 10.x.x.50.40214 > my.qry.DNS.svr.domain: 35819+ A? bromgr.....cornell.edu. (47) 12:10:03.240656 IP 10.x.x.50.40214 > my.qry.DNS.svr.domain: 16255+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.241870 IP 10.x.x.50.54314 > my.qry.DNS.svr.domain: 11939+ A? bromgr.....cornell.edu. (47) 12:10:03.241886 IP 10.x.x.50.54314 > my.qry.DNS.svr.domain: 40401+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.242603 IP 10.x.x.50.34868 > my.qry.DNS.svr.domain: 64894+ A? bromgr.....cornell.edu. (47) 12:10:03.242631 IP 10.x.x.50.34868 > my.qry.DNS.svr.domain: 20531+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.245572 IP 10.x.x.40.55455 > my.qry.DNS.svr.domain: 53525+ A? bro03.....cornell.edu. (46) 12:10:03.245588 IP 10.x.x.40.55455 > my.qry.DNS.svr.domain: 3097+ AAAA? bro03.....cornell.edu. (46) 12:10:03.246536 IP 10.x.x.40.57152 > my.qry.DNS.svr.domain: 37906+ A? bro03.....cornell.edu. (46) 12:10:03.246556 IP 10.x.x.40.57152 > my.qry.DNS.svr.domain: 48400+ AAAA? bro03.....cornell.edu. (46) 12:10:03.250706 IP 10.x.x.50.47368 > my.qry.DNS.svr.domain: 27164+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.251478 IP 10.x.x.50.47208 > my.qry.DNS.svr.domain: 8286+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.251690 IP 10.x.x.50.57079 > my.qry.DNS.svr.domain: 12241+ A? bromgr.....cornell.edu. (47) 12:10:03.252198 IP 10.x.x.50.34438 > my.qry.DNS.svr.domain: 17678+ A? bromgr.....cornell.edu. (47) 12:10:03.297400 IP 10.x.x.50.53420 > my.qry.DNS.svr.domain: 4865+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.297890 IP 10.x.x.50.39363 > my.qry.DNS.svr.domain: 36671+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.298632 IP 10.x.x.50.52138 > my.qry.DNS.svr.domain: 36218+ A? bromgr.....cornell.edu. (47) 12:10:03.298882 IP 10.x.x.50.32821 > my.qry.DNS.svr.domain: 5894+ A? bromgr.....cornell.edu. (47) 12:10:03.299862 IP 10.x.x.40.32829 > my.qry.DNS.svr.domain: 55980+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.299879 IP 10.x.x.40.52558 > my.qry.DNS.svr.domain: 41575+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.300610 IP 10.x.x.40.40812 > my.qry.DNS.svr.domain: 63923+ A? bro03.....cornell.edu. (46) 12:10:03.301093 IP 10.x.x.40.52731 > my.qry.DNS.svr.domain: 13768+ A? bro03.....cornell.edu. (46) 12:10:03.301588 IP 10.x.x.40.47389 > my.qry.DNS.svr.domain: 37167+ A? bro03.....cornell.edu. (46) 12:10:03.301603 IP 10.x.x.40.47389 > my.qry.DNS.svr.domain: 13750+ AAAA? bro03.....cornell.edu. (46) 12:10:03.302094 IP 10.x.x.40.53243 > my.qry.DNS.svr.domain: 12665+ A? bro03.....cornell.edu. (46) 12:10:03.302109 IP 10.x.x.40.53243 > my.qry.DNS.svr.domain: 63794+ AAAA? bro03.....cornell.edu. (46) 12:10:03.302315 IP 10.x.x.40.37758 > my.qry.DNS.svr.domain: 40318+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.302815 IP 10.x.x.40.41578 > my.qry.DNS.svr.domain: 15705+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.303325 IP 10.x.x.40.48092 > my.qry.DNS.svr.domain: 61841+ A? bro03.....cornell.edu. (46) 12:10:03.303344 IP 10.x.x.40.48092 > my.qry.DNS.svr.domain: 56749+ AAAA? bro03.....cornell.edu. (46) 12:10:03.304055 IP 10.x.x.40.60055 > my.qry.DNS.svr.domain: 56653+ A? bro03.....cornell.edu. (46) 12:10:03.304078 IP 10.x.x.40.60055 > my.qry.DNS.svr.domain: 11595+ AAAA? bro03.....cornell.edu. (46) 12:10:03.304288 IP 10.x.x.40.54717 > my.qry.DNS.svr.domain: 6483+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.304792 IP 10.x.x.40.56773 > my.qry.DNS.svr.domain: 24933+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.305294 IP 10.x.x.40.37403 > my.qry.DNS.svr.domain: 52495+ A? bro03.....cornell.edu. (46) 12:10:03.305310 IP 10.x.x.40.37403 > my.qry.DNS.svr.domain: 31188+ AAAA? bro03.....cornell.edu. (46) 12:10:03.306009 IP 10.x.x.40.59207 > my.qry.DNS.svr.domain: 41425+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.306022 IP 10.x.x.40.47444 > my.qry.DNS.svr.domain: 8515+ A? bro03.....cornell.edu. (46) 12:10:03.306028 IP 10.x.x.40.47444 > my.qry.DNS.svr.domain: 1321+ AAAA? bro03.....cornell.edu. (46) 12:10:03.307015 IP 10.x.x.40.54268 > my.qry.DNS.svr.domain: 43492+ A? bro03.....cornell.edu. (46) 12:10:03.307031 IP 10.x.x.40.54268 > my.qry.DNS.svr.domain: 37375+ AAAA? bro03.....cornell.edu. (46) 12:10:03.307241 IP 10.x.x.40.59880 > my.qry.DNS.svr.domain: 24992+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.307742 IP 10.x.x.40.55771 > my.qry.DNS.svr.domain: 7593+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.308472 IP 10.x.x.40.46247 > my.qry.DNS.svr.domain: 60723+ A? bro03.....cornell.edu. (46) 12:10:03.308489 IP 10.x.x.40.46247 > my.qry.DNS.svr.domain: 21967+ AAAA? bro03.....cornell.edu. (46) 12:10:03.309214 IP 10.x.x.40.46436 > my.qry.DNS.svr.domain: 40468+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.312892 IP 10.x.x.50.39464 > my.qry.DNS.svr.domain: 22339+ A? bromgr.....cornell.edu. (47) 12:10:03.312912 IP 10.x.x.50.39464 > my.qry.DNS.svr.domain: 56208+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.314117 IP 10.x.x.50.52054 > my.qry.DNS.svr.domain: 45102+ A? bromgr.....cornell.edu. (47) 12:10:03.314135 IP 10.x.x.50.52054 > my.qry.DNS.svr.domain: 37613+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.314614 IP 10.x.x.50.59119 > my.qry.DNS.svr.domain: 31572+ A? bromgr.....cornell.edu. (47) 12:10:03.314629 IP 10.x.x.50.59119 > my.qry.DNS.svr.domain: 53535+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.315587 IP 10.x.x.50.45962 > my.qry.DNS.svr.domain: 62262+ A? bromgr.....cornell.edu. (47) 12:10:03.315601 IP 10.x.x.50.45962 > my.qry.DNS.svr.domain: 34697+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.316092 IP 10.x.x.50.55523 > my.qry.DNS.svr.domain: 52717+ A? bromgr.....cornell.edu. (47) 12:10:03.316108 IP 10.x.x.50.55523 > my.qry.DNS.svr.domain: 25540+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.316575 IP 10.x.x.50.55124 > my.qry.DNS.svr.domain: 47797+ A? bromgr.....cornell.edu. (47) 12:10:03.316590 IP 10.x.x.50.55124 > my.qry.DNS.svr.domain: 60393+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.317803 IP 10.x.x.50.59405 > my.qry.DNS.svr.domain: 31570+ A? bromgr.....cornell.edu. (47) 12:10:03.317816 IP 10.x.x.50.59405 > my.qry.DNS.svr.domain: 57349+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.318045 IP 10.x.x.50.37015 > my.qry.DNS.svr.domain: 13827+ A? bromgr.....cornell.edu. (47) 12:10:03.318057 IP 10.x.x.50.37015 > my.qry.DNS.svr.domain: 27700+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.319025 IP 10.x.x.50.32817 > my.qry.DNS.svr.domain: 19076+ A? bromgr.....cornell.edu. (47) 12:10:03.319044 IP 10.x.x.50.32817 > my.qry.DNS.svr.domain: 12621+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.319274 IP 10.x.x.50.60555 > my.qry.DNS.svr.domain: 59847+ A? bromgr.....cornell.edu. (47) 12:10:03.319291 IP 10.x.x.50.60555 > my.qry.DNS.svr.domain: 33966+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.320259 IP 10.x.x.50.40658 > my.qry.DNS.svr.domain: 31921+ A? bromgr.....cornell.edu. (47) 12:10:03.320277 IP 10.x.x.50.45886 > my.qry.DNS.svr.domain: 9448+ A? bromgr.....cornell.edu. (47) 12:10:03.320286 IP 10.x.x.50.40658 > my.qry.DNS.svr.domain: 17087+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.320294 IP 10.x.x.50.45886 > my.qry.DNS.svr.domain: 10123+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.323700 IP 10.x.x.50.35371 > my.qry.DNS.svr.domain: 22798+ A? bromgr.....cornell.edu. (47) 12:10:03.323721 IP 10.x.x.50.35371 > my.qry.DNS.svr.domain: 46696+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.324679 IP 10.x.x.50.36330 > my.qry.DNS.svr.domain: 539+ A? bromgr.....cornell.edu. (47) 12:10:03.324695 IP 10.x.x.50.36330 > my.qry.DNS.svr.domain: 45271+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.325666 IP 10.x.x.50.58418 > my.qry.DNS.svr.domain: 567+ A? bromgr.....cornell.edu. (47) 12:10:03.325684 IP 10.x.x.50.58418 > my.qry.DNS.svr.domain: 11424+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.326411 IP 10.x.x.50.34162 > my.qry.DNS.svr.domain: 46817+ A? bromgr.....cornell.edu. (47) 12:10:03.326424 IP 10.x.x.50.34162 > my.qry.DNS.svr.domain: 15402+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.327885 IP 10.x.x.7.38325 > 132.236.56.250.domain: 16861+ PTR? 204.144.253.10.in-addr.arpa. (45) 12:10:03.328892 IP 10.x.x.7.42192 > 132.236.56.250.domain: 15757+ A? scribe.ccmr.cornell.edu. (41) 12:10:03.328898 IP 10.x.x.7.42192 > 132.236.56.250.domain: 329+ AAAA? scribe.ccmr.cornell.edu. (41) 12:10:03.329629 IP 10.x.x.40.33848 > my.qry.DNS.svr.domain: 16106+ A? bro03.....cornell.edu. (46) 12:10:03.329644 IP 10.x.x.40.33848 > my.qry.DNS.svr.domain: 51391+ AAAA? bro03.....cornell.edu. (46) 12:10:03.330111 IP 10.x.x.7.59964 > 132.236.56.250.domain: 37253+ PTR? 68.250.253.10.in-addr.arpa. (44) 12:10:03.330603 IP 10.x.x.40.44212 > my.qry.DNS.svr.domain: 59330+ A? bro03.....cornell.edu. (46) 12:10:03.330620 IP 10.x.x.40.44212 > my.qry.DNS.svr.domain: 23921+ AAAA? bro03.....cornell.edu. (46) 12:10:03.330842 IP 10.x.x.7.45345 > 132.236.56.250.domain: 44319+ A? ccsf-sharp.ccsf.cornell.edu. (45) 12:10:03.330853 IP 10.x.x.7.45345 > 132.236.56.250.domain: 42435+ AAAA? ccsf-sharp.ccsf.cornell.edu. (45) 12:10:03.334759 IP 10.x.x.50.53089 > my.qry.DNS.svr.domain: 15389+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.334995 IP 10.x.x.50.41090 > my.qry.DNS.svr.domain: 5988+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.335735 IP 10.x.x.50.39360 > my.qry.DNS.svr.domain: 34901+ A? bromgr.....cornell.edu. (47) 12:10:03.335981 IP 10.x.x.50.52993 > my.qry.DNS.svr.domain: 46308+ A? bromgr.....cornell.edu. (47) 12:10:03.381947 IP 10.x.x.50.33555 > my.qry.DNS.svr.domain: 262+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.381971 IP 10.x.x.50.38855 > my.qry.DNS.svr.domain: 55176+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.382931 IP 10.x.x.50.35498 > my.qry.DNS.svr.domain: 12454+ A? bromgr.....cornell.edu. (47) 12:10:03.382945 IP 10.x.x.50.49694 > my.qry.DNS.svr.domain: 30690+ A? bromgr.....cornell.edu. (47) 12:10:03.383919 IP 10.x.x.40.42611 > my.qry.DNS.svr.domain: 38631+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.384159 IP 10.x.x.40.58548 > my.qry.DNS.svr.domain: 65082+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.384648 IP 10.x.x.40.50801 > my.qry.DNS.svr.domain: 47626+ A? bro03.....cornell.edu. (46) 12:10:03.384904 IP 10.x.x.40.41308 > my.qry.DNS.svr.domain: 11931+ A? bro03.....cornell.edu. (46) 12:10:03.385643 IP 10.x.x.40.58328 > my.qry.DNS.svr.domain: 49896+ A? bro03.....cornell.edu. (46) 12:10:03.385657 IP 10.x.x.40.58328 > my.qry.DNS.svr.domain: 52945+ AAAA? bro03.....cornell.edu. (46) 12:10:03.385883 IP 10.x.x.40.60894 > my.qry.DNS.svr.domain: 45614+ A? bro03.....cornell.edu. (46) 12:10:03.385899 IP 10.x.x.40.60894 > my.qry.DNS.svr.domain: 27339+ AAAA? bro03.....cornell.edu. (46) 12:10:03.386370 IP 10.x.x.40.55414 > my.qry.DNS.svr.domain: 33351+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.386630 IP 10.x.x.40.40880 > my.qry.DNS.svr.domain: 5657+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.387385 IP 10.x.x.40.50842 > my.qry.DNS.svr.domain: 41364+ A? bro03.....cornell.edu. (46) 12:10:03.387405 IP 10.x.x.40.50842 > my.qry.DNS.svr.domain: 42217+ AAAA? bro03.....cornell.edu. (46) 12:10:03.388115 IP 10.x.x.40.38896 > my.qry.DNS.svr.domain: 60856+ A? bro03.....cornell.edu. (46) 12:10:03.388135 IP 10.x.x.40.38896 > my.qry.DNS.svr.domain: 28769+ AAAA? bro03.....cornell.edu. (46) 12:10:03.388145 IP 10.x.x.40.58254 > my.qry.DNS.svr.domain: 9151+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.388840 IP 10.x.x.40.54030 > my.qry.DNS.svr.domain: 11137+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.389321 IP 10.x.x.40.53651 > my.qry.DNS.svr.domain: 34400+ A? bro03.....cornell.edu. (46) 12:10:03.389339 IP 10.x.x.40.53651 > my.qry.DNS.svr.domain: 18698+ AAAA? bro03.....cornell.edu. (46) 12:10:03.389819 IP 10.x.x.40.42950 > my.qry.DNS.svr.domain: 28960+ A? bro03.....cornell.edu. (46) 12:10:03.389836 IP 10.x.x.40.42950 > my.qry.DNS.svr.domain: 62407+ AAAA? bro03.....cornell.edu. (46) 12:10:03.390060 IP 10.x.x.40.60910 > my.qry.DNS.svr.domain: 11121+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.390550 IP 10.x.x.40.43217 > my.qry.DNS.svr.domain: 44391+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.391062 IP 10.x.x.40.50065 > my.qry.DNS.svr.domain: 47425+ A? bro03.....cornell.edu. (46) 12:10:03.391083 IP 10.x.x.40.50065 > my.qry.DNS.svr.domain: 62233+ AAAA? bro03.....cornell.edu. (46) 12:10:03.391539 IP 10.x.x.40.57824 > my.qry.DNS.svr.domain: 21486+ A? bro03.....cornell.edu. (46) 12:10:03.391558 IP 10.x.x.40.57824 > my.qry.DNS.svr.domain: 5501+ AAAA? bro03.....cornell.edu. (46) 12:10:03.391800 IP 10.x.x.40.44672 > my.qry.DNS.svr.domain: 51518+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.392276 IP 10.x.x.40.45358 > my.qry.DNS.svr.domain: 7293+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.397961 IP 10.x.x.50.45922 > my.qry.DNS.svr.domain: 39965+ A? bromgr.....cornell.edu. (47) 12:10:03.397980 IP 10.x.x.50.45922 > my.qry.DNS.svr.domain: 7787+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.398159 IP 10.x.x.50.59467 > my.qry.DNS.svr.domain: 10048+ A? bromgr.....cornell.edu. (47) 12:10:03.398173 IP 10.x.x.50.59467 > my.qry.DNS.svr.domain: 13028+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.399666 IP 10.x.x.50.42863 > my.qry.DNS.svr.domain: 55339+ A? bromgr.....cornell.edu. (47) 12:10:03.399680 IP 10.x.x.50.42863 > my.qry.DNS.svr.domain: 52723+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.399690 IP 10.x.x.50.42723 > my.qry.DNS.svr.domain: 12607+ A? bromgr.....cornell.edu. (47) 12:10:03.399695 IP 10.x.x.50.42723 > my.qry.DNS.svr.domain: 13987+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.400878 IP 10.x.x.50.55559 > my.qry.DNS.svr.domain: 35866+ A? bromgr.....cornell.edu. (47) 12:10:03.400891 IP 10.x.x.50.55559 > my.qry.DNS.svr.domain: 35483+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.400897 IP 10.x.x.50.52328 > my.qry.DNS.svr.domain: 20847+ A? bromgr.....cornell.edu. (47) 12:10:03.400902 IP 10.x.x.50.52328 > my.qry.DNS.svr.domain: 53748+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.402595 IP 10.x.x.50.33937 > my.qry.DNS.svr.domain: 64154+ A? bromgr.....cornell.edu. (47) 12:10:03.402615 IP 10.x.x.50.33937 > my.qry.DNS.svr.domain: 38761+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.402827 IP 10.x.x.50.49424 > my.qry.DNS.svr.domain: 14007+ A? bromgr.....cornell.edu. (47) 12:10:03.402843 IP 10.x.x.50.49424 > my.qry.DNS.svr.domain: 1000+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.403815 IP 10.x.x.50.54555 > my.qry.DNS.svr.domain: 55109+ A? bromgr.....cornell.edu. (47) 12:10:03.403833 IP 10.x.x.50.54555 > my.qry.DNS.svr.domain: 24482+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.404310 IP 10.x.x.50.35699 > my.qry.DNS.svr.domain: 59180+ A? bromgr.....cornell.edu. (47) 12:10:03.404332 IP 10.x.x.50.35699 > my.qry.DNS.svr.domain: 46278+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.404560 IP 10.x.x.50.36685 > my.qry.DNS.svr.domain: 52657+ A? bromgr.....cornell.edu. (47) 12:10:03.404576 IP 10.x.x.50.36685 > my.qry.DNS.svr.domain: 459+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.405059 IP 10.x.x.50.49192 > my.qry.DNS.svr.domain: 2072+ A? bromgr.....cornell.edu. (47) 12:10:03.405075 IP 10.x.x.50.49192 > my.qry.DNS.svr.domain: 41075+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.407500 IP 10.x.x.50.42026 > my.qry.DNS.svr.domain: 15455+ A? bromgr.....cornell.edu. (47) 12:10:03.407517 IP 10.x.x.50.42026 > my.qry.DNS.svr.domain: 32255+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.408489 IP 10.x.x.50.34634 > my.qry.DNS.svr.domain: 8136+ A? bromgr.....cornell.edu. (47) 12:10:03.408505 IP 10.x.x.50.34634 > my.qry.DNS.svr.domain: 12955+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.411746 IP 10.x.x.50.45753 > my.qry.DNS.svr.domain: 57768+ A? bromgr.....cornell.edu. (47) 12:10:03.411770 IP 10.x.x.50.45753 > my.qry.DNS.svr.domain: 51905+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.412691 IP 10.x.x.50.49671 > my.qry.DNS.svr.domain: 47043+ A? bromgr.....cornell.edu. (47) 12:10:03.412713 IP 10.x.x.50.49671 > my.qry.DNS.svr.domain: 43471+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.413182 IP 10.x.x.40.36915 > my.qry.DNS.svr.domain: 34917+ A? bro03.....cornell.edu. (46) 12:10:03.413204 IP 10.x.x.40.36915 > my.qry.DNS.svr.domain: 19126+ AAAA? bro03.....cornell.edu. (46) 12:10:03.414401 IP 10.x.x.40.43140 > my.qry.DNS.svr.domain: 32608+ A? bro03.....cornell.edu. (46) 12:10:03.414416 IP 10.x.x.40.43140 > my.qry.DNS.svr.domain: 11179+ AAAA? bro03.....cornell.edu. (46) 12:10:03.418067 IP 10.x.x.50.54742 > my.qry.DNS.svr.domain: 30060+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.419073 IP 10.x.x.50.54169 > my.qry.DNS.svr.domain: 63945+ A? bromgr.....cornell.edu. (47) 12:10:03.419539 IP 10.x.x.50.48779 > my.qry.DNS.svr.domain: 61926+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.420788 IP 10.x.x.50.36760 > my.qry.DNS.svr.domain: 45994+ A? bromgr.....cornell.edu. (47) 12:10:03.465996 IP 10.x.x.50.54470 > my.qry.DNS.svr.domain: 31402+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.466019 IP 10.x.x.50.51547 > my.qry.DNS.svr.domain: 60041+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.466978 IP 10.x.x.50.37196 > my.qry.DNS.svr.domain: 2566+ A? bromgr.....cornell.edu. (47) 12:10:03.466991 IP 10.x.x.50.35315 > my.qry.DNS.svr.domain: 3048+ A? bromgr.....cornell.edu. (47) 12:10:03.467979 IP 10.x.x.40.56678 > my.qry.DNS.svr.domain: 46420+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.468205 IP 10.x.x.40.37260 > my.qry.DNS.svr.domain: 7910+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.468704 IP 10.x.x.40.53578 > my.qry.DNS.svr.domain: 40061+ A? bro03.....cornell.edu. (46) 12:10:03.469200 IP 10.x.x.40.35961 > my.qry.DNS.svr.domain: 428+ A? bro03.....cornell.edu. (46) 12:10:03.469937 IP 10.x.x.40.55781 > my.qry.DNS.svr.domain: 63478+ A? bro03.....cornell.edu. (46) 12:10:03.469947 IP 10.x.x.40.55781 > my.qry.DNS.svr.domain: 39546+ AAAA? bro03.....cornell.edu. (46) 12:10:03.470188 IP 10.x.x.40.47159 > my.qry.DNS.svr.domain: 22619+ A? bro03.....cornell.edu. (46) 12:10:03.470205 IP 10.x.x.40.47159 > my.qry.DNS.svr.domain: 57107+ AAAA? bro03.....cornell.edu. (46) 12:10:03.470709 IP 10.x.x.40.59360 > my.qry.DNS.svr.domain: 47434+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.470912 IP 10.x.x.40.49219 > my.qry.DNS.svr.domain: 8836+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.471897 IP 10.x.x.40.40703 > my.qry.DNS.svr.domain: 33225+ A? bro03.....cornell.edu. (46) 12:10:03.471912 IP 10.x.x.40.40703 > my.qry.DNS.svr.domain: 2389+ AAAA? bro03.....cornell.edu. (46) 12:10:03.472144 IP 10.x.x.40.37566 > my.qry.DNS.svr.domain: 49779+ A? bro03.....cornell.edu. (46) 12:10:03.472157 IP 10.x.x.40.37566 > my.qry.DNS.svr.domain: 52845+ AAAA? bro03.....cornell.edu. (46) 12:10:03.472650 IP 10.x.x.40.52837 > my.qry.DNS.svr.domain: 45496+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.472892 IP 10.x.x.40.57350 > my.qry.DNS.svr.domain: 10963+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.473872 IP 10.x.x.40.59459 > my.qry.DNS.svr.domain: 43147+ A? bro03.....cornell.edu. (46) 12:10:03.473889 IP 10.x.x.40.59459 > my.qry.DNS.svr.domain: 22380+ AAAA? bro03.....cornell.edu. (46) 12:10:03.474114 IP 10.x.x.40.41707 > my.qry.DNS.svr.domain: 49598+ A? bro03.....cornell.edu. (46) 12:10:03.474130 IP 10.x.x.40.41707 > my.qry.DNS.svr.domain: 16565+ AAAA? bro03.....cornell.edu. (46) 12:10:03.474847 IP 10.x.x.40.60129 > my.qry.DNS.svr.domain: 58983+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.474865 IP 10.x.x.40.37064 > my.qry.DNS.svr.domain: 38862+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.476329 IP 10.x.x.40.37735 > my.qry.DNS.svr.domain: 40941+ A? bro03.....cornell.edu. (46) 12:10:03.476345 IP 10.x.x.40.47244 > my.qry.DNS.svr.domain: 8408+ A? bro03.....cornell.edu. (46) 12:10:03.476351 IP 10.x.x.40.47244 > my.qry.DNS.svr.domain: 10732+ AAAA? bro03.....cornell.edu. (46) 12:10:03.476361 IP 10.x.x.40.37735 > my.qry.DNS.svr.domain: 61568+ AAAA? bro03.....cornell.edu. (46) 12:10:03.477062 IP 10.x.x.40.42467 > my.qry.DNS.svr.domain: 24137+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.477078 IP 10.x.x.40.48987 > my.qry.DNS.svr.domain: 15536+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.481238 IP 10.x.x.50.60939 > my.qry.DNS.svr.domain: 32991+ A? bromgr.....cornell.edu. (47) 12:10:03.481250 IP 10.x.x.50.60939 > my.qry.DNS.svr.domain: 56037+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.481732 IP 10.x.x.50.44731 > my.qry.DNS.svr.domain: 63317+ A? bromgr.....cornell.edu. (47) 12:10:03.481752 IP 10.x.x.50.44731 > my.qry.DNS.svr.domain: 3246+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.482960 IP 10.x.x.50.40030 > my.qry.DNS.svr.domain: 16534+ A? bromgr.....cornell.edu. (47) 12:10:03.482983 IP 10.x.x.50.40030 > my.qry.DNS.svr.domain: 40016+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.483219 IP 10.x.x.50.42933 > my.qry.DNS.svr.domain: 26793+ A? bromgr.....cornell.edu. (47) 12:10:03.483229 IP 10.x.x.50.42933 > my.qry.DNS.svr.domain: 13485+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.484189 IP 10.x.x.50.56863 > my.qry.DNS.svr.domain: 15282+ A? bromgr.....cornell.edu. (47) 12:10:03.484207 IP 10.x.x.50.56863 > my.qry.DNS.svr.domain: 44829+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.484213 IP 10.x.x.50.54641 > my.qry.DNS.svr.domain: 6423+ A? bromgr.....cornell.edu. (47) 12:10:03.484218 IP 10.x.x.50.54641 > my.qry.DNS.svr.domain: 40840+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.485897 IP 10.x.x.50.39724 > my.qry.DNS.svr.domain: 39524+ A? bromgr.....cornell.edu. (47) 12:10:03.485913 IP 10.x.x.50.39724 > my.qry.DNS.svr.domain: 64869+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.486145 IP 10.x.x.50.52905 > my.qry.DNS.svr.domain: 46329+ A? bromgr.....cornell.edu. (47) 12:10:03.486161 IP 10.x.x.50.52905 > my.qry.DNS.svr.domain: 44525+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.487378 IP 10.x.x.50.52248 > my.qry.DNS.svr.domain: 49327+ A? bromgr.....cornell.edu. (47) 12:10:03.487395 IP 10.x.x.50.49604 > my.qry.DNS.svr.domain: 14976+ A? bromgr.....cornell.edu. (47) 12:10:03.487401 IP 10.x.x.50.52248 > my.qry.DNS.svr.domain: 31201+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.487406 IP 10.x.x.50.49604 > my.qry.DNS.svr.domain: 18411+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.488370 IP 10.x.x.50.47756 > my.qry.DNS.svr.domain: 60597+ A? bromgr.....cornell.edu. (47) 12:10:03.488391 IP 10.x.x.50.54529 > my.qry.DNS.svr.domain: 16957+ A? bromgr.....cornell.edu. (47) 12:10:03.488401 IP 10.x.x.50.47756 > my.qry.DNS.svr.domain: 16274+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.488409 IP 10.x.x.50.54529 > my.qry.DNS.svr.domain: 50073+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.491306 IP 10.x.x.50.47239 > my.qry.DNS.svr.domain: 29791+ A? bromgr.....cornell.edu. (47) 12:10:03.491320 IP 10.x.x.50.47239 > my.qry.DNS.svr.domain: 60716+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.492047 IP 10.x.x.50.37954 > my.qry.DNS.svr.domain: 42794+ A? bromgr.....cornell.edu. (47) 12:10:03.492063 IP 10.x.x.50.37954 > my.qry.DNS.svr.domain: 62510+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.493028 IP 10.x.x.50.52740 > my.qry.DNS.svr.domain: 65456+ A? bromgr.....cornell.edu. (47) 12:10:03.493052 IP 10.x.x.50.52740 > my.qry.DNS.svr.domain: 35386+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.493769 IP 10.x.x.50.39179 > my.qry.DNS.svr.domain: 47016+ A? bromgr.....cornell.edu. (47) 12:10:03.493786 IP 10.x.x.50.39179 > my.qry.DNS.svr.domain: 45088+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.497003 IP 10.x.x.40.57680 > my.qry.DNS.svr.domain: 64994+ A? bro03.....cornell.edu. (46) 12:10:03.497018 IP 10.x.x.40.57680 > my.qry.DNS.svr.domain: 5809+ AAAA? bro03.....cornell.edu. (46) 12:10:03.498202 IP 10.x.x.40.37076 > my.qry.DNS.svr.domain: 14189+ A? bro04.....cornell.edu. (46) 12:10:03.498219 IP 10.x.x.40.37076 > my.qry.DNS.svr.domain: 62916+ AAAA? bro04.....cornell.edu. (46) 12:10:03.501866 IP 10.x.x.50.50715 > my.qry.DNS.svr.domain: 49607+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.503106 IP 10.x.x.50.45905 > my.qry.DNS.svr.domain: 41735+ A? bromgr.....cornell.edu. (47) 12:10:03.506543 IP 10.x.x.51.43729 > my.qry.DNS.svr.domain: 59582+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.507527 IP 10.x.x.51.59768 > my.qry.DNS.svr.domain: 15030+ A? bromgr.....cornell.edu. (47) 12:10:03.549055 IP 10.x.x.50.39027 > my.qry.DNS.svr.domain: 63192+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.550282 IP 10.x.x.50.44710 > my.qry.DNS.svr.domain: 17960+ A? bromgr.....cornell.edu. (47) 12:10:03.551525 IP 10.x.x.40.36996 > my.qry.DNS.svr.domain: 11331+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.552260 IP 10.x.x.40.48534 > my.qry.DNS.svr.domain: 11750+ A? bro03.....cornell.edu. (46) 12:10:03.553253 IP 10.x.x.40.48986 > my.qry.DNS.svr.domain: 15874+ A? bro03.....cornell.edu. (46) 12:10:03.553269 IP 10.x.x.40.48986 > my.qry.DNS.svr.domain: 6953+ AAAA? bro03.....cornell.edu. (46) 12:10:03.553744 IP 10.x.x.51.49801 > my.qry.DNS.svr.domain: 57161+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.554242 IP 10.x.x.40.56072 > my.qry.DNS.svr.domain: 24028+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.554710 IP 10.x.x.51.40442 > my.qry.DNS.svr.domain: 54516+ A? bromgr.....cornell.edu. (47) 12:10:03.555463 IP 10.x.x.40.57949 > my.qry.DNS.svr.domain: 61064+ A? bro03.....cornell.edu. (46) 12:10:03.555477 IP 10.x.x.40.57949 > my.qry.DNS.svr.domain: 54080+ AAAA? bro03.....cornell.edu. (46) 12:10:03.555954 IP 10.x.x.40.43035 > my.qry.DNS.svr.domain: 9370+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.556438 IP 10.x.x.40.60303 > my.qry.DNS.svr.domain: 61586+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.556685 IP 10.x.x.40.39904 > my.qry.DNS.svr.domain: 50556+ A? bro04.....cornell.edu. (46) 12:10:03.557675 IP 10.x.x.40.38799 > my.qry.DNS.svr.domain: 56621+ A? bro03.....cornell.edu. (46) 12:10:03.557689 IP 10.x.x.40.60728 > my.qry.DNS.svr.domain: 19112+ A? bro04.....cornell.edu. (46) 12:10:03.557695 IP 10.x.x.40.38799 > my.qry.DNS.svr.domain: 25299+ AAAA? bro03.....cornell.edu. (46) 12:10:03.557700 IP 10.x.x.40.60728 > my.qry.DNS.svr.domain: 65500+ AAAA? bro04.....cornell.edu. (46) 12:10:03.558409 IP 10.x.x.40.42361 > my.qry.DNS.svr.domain: 48084+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.558669 IP 10.x.x.40.37509 > my.qry.DNS.svr.domain: 51355+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.559639 IP 10.x.x.40.50334 > my.qry.DNS.svr.domain: 1228+ A? bro03.....cornell.edu. (46) 12:10:03.559654 IP 10.x.x.40.50334 > my.qry.DNS.svr.domain: 2509+ AAAA? bro03.....cornell.edu. (46) 12:10:03.560139 IP 10.x.x.40.42893 > my.qry.DNS.svr.domain: 45419+ A? bro04.....cornell.edu. (46) 12:10:03.560156 IP 10.x.x.40.42893 > my.qry.DNS.svr.domain: 29252+ AAAA? bro04.....cornell.edu. (46) 12:10:03.560616 IP 10.x.x.40.50550 > my.qry.DNS.svr.domain: 29401+ PTR? 50.x.x.10.in-addr.arpa. (43) 12:10:03.560860 IP 10.x.x.40.57375 > my.qry.DNS.svr.domain: 18208+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.562108 IP 10.x.x.40.41304 > my.qry.DNS.svr.domain: 45663+ A? bro04.....cornell.edu. (46) 12:10:03.562121 IP 10.x.x.40.41304 > my.qry.DNS.svr.domain: 35242+ AAAA? bro04.....cornell.edu. (46) 12:10:03.562836 IP 10.x.x.40.40671 > my.qry.DNS.svr.domain: 8986+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.564058 IP 10.x.x.40.38948 > my.qry.DNS.svr.domain: 51499+ A? bro04.....cornell.edu. (46) 12:10:03.564070 IP 10.x.x.40.38948 > my.qry.DNS.svr.domain: 841+ AAAA? bro04.....cornell.edu. (46) 12:10:03.564792 IP 10.x.x.40.46382 > my.qry.DNS.svr.domain: 26027+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.565524 IP 10.x.x.50.45885 > my.qry.DNS.svr.domain: 10249+ A? bromgr.....cornell.edu. (47) 12:10:03.565541 IP 10.x.x.50.45885 > my.qry.DNS.svr.domain: 16888+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.567489 IP 10.x.x.50.47587 > my.qry.DNS.svr.domain: 11587+ A? bromgr.....cornell.edu. (47) 12:10:03.567505 IP 10.x.x.50.47587 > my.qry.DNS.svr.domain: 61079+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.568727 IP 10.x.x.50.35777 > my.qry.DNS.svr.domain: 56037+ A? bromgr.....cornell.edu. (47) 12:10:03.568743 IP 10.x.x.50.35777 > my.qry.DNS.svr.domain: 45117+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.569956 IP 10.x.x.51.40900 > my.qry.DNS.svr.domain: 32023+ A? bromgr.....cornell.edu. (47) 12:10:03.569975 IP 10.x.x.51.40900 > my.qry.DNS.svr.domain: 33361+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.570446 IP 10.x.x.50.50154 > my.qry.DNS.svr.domain: 22358+ A? bromgr.....cornell.edu. (47) 12:10:03.570463 IP 10.x.x.50.50154 > my.qry.DNS.svr.domain: 37525+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.571926 IP 10.x.x.51.56654 > my.qry.DNS.svr.domain: 3991+ A? bromgr.....cornell.edu. (47) 12:10:03.571933 IP 10.x.x.50.42714 > my.qry.DNS.svr.domain: 58114+ A? bromgr.....cornell.edu. (47) 12:10:03.571943 IP 10.x.x.51.56654 > my.qry.DNS.svr.domain: 63719+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.571945 IP 10.x.x.50.42714 > my.qry.DNS.svr.domain: 3282+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.572657 IP 10.x.x.50.55686 > my.qry.DNS.svr.domain: 30295+ A? bromgr.....cornell.edu. (47) 12:10:03.572673 IP 10.x.x.50.55686 > my.qry.DNS.svr.domain: 14823+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.573150 IP 10.x.x.51.58363 > my.qry.DNS.svr.domain: 7671+ A? bromgr.....cornell.edu. (47) 12:10:03.573166 IP 10.x.x.51.58363 > my.qry.DNS.svr.domain: 49680+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.575117 IP 10.x.x.51.35361 > my.qry.DNS.svr.domain: 58220+ A? bromgr.....cornell.edu. (47) 12:10:03.575133 IP 10.x.x.51.35361 > my.qry.DNS.svr.domain: 2808+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.576337 IP 10.x.x.51.40023 > my.qry.DNS.svr.domain: 9155+ A? bromgr.....cornell.edu. (47) 12:10:03.576350 IP 10.x.x.51.40023 > my.qry.DNS.svr.domain: 17536+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.577084 IP 10.x.x.51.36249 > my.qry.DNS.svr.domain: 22995+ A? bromgr.....cornell.edu. (47) 12:10:03.577100 IP 10.x.x.51.36249 > my.qry.DNS.svr.domain: 22063+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.581014 IP 10.x.x.51.49667 > my.qry.DNS.svr.domain: 13320+ A? bromgr.....cornell.edu. (47) 12:10:03.581029 IP 10.x.x.51.49667 > my.qry.DNS.svr.domain: 24300+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.581996 IP 10.x.x.51.52467 > my.qry.DNS.svr.domain: 34822+ A? bromgr.....cornell.edu. (47) 12:10:03.582010 IP 10.x.x.51.52467 > my.qry.DNS.svr.domain: 60968+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.582986 IP 10.x.x.51.35793 > my.qry.DNS.svr.domain: 43109+ A? bromgr.....cornell.edu. (47) 12:10:03.583001 IP 10.x.x.51.35793 > my.qry.DNS.svr.domain: 28330+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.583715 IP 10.x.x.51.36913 > my.qry.DNS.svr.domain: 29881+ A? bromgr.....cornell.edu. (47) 12:10:03.583730 IP 10.x.x.51.36913 > my.qry.DNS.svr.domain: 51921+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.586432 IP 10.x.x.40.43888 > my.qry.DNS.svr.domain: 18738+ A? bro04.....cornell.edu. (46) 12:10:03.586452 IP 10.x.x.40.43888 > my.qry.DNS.svr.domain: 59472+ AAAA? bro04.....cornell.edu. (46) 12:10:03.587659 IP 10.x.x.40.41722 > my.qry.DNS.svr.domain: 39259+ A? bro04.....cornell.edu. (46) 12:10:03.587672 IP 10.x.x.40.41722 > my.qry.DNS.svr.domain: 24482+ AAAA? bro04.....cornell.edu. (46) 12:10:03.594027 IP 10.x.x.51.34819 > my.qry.DNS.svr.domain: 27933+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.594280 IP 10.x.x.51.39316 > my.qry.DNS.svr.domain: 50074+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.595016 IP 10.x.x.51.42403 > my.qry.DNS.svr.domain: 55208+ A? bromgr.....cornell.edu. (47) 12:10:03.595258 IP 10.x.x.51.51736 > my.qry.DNS.svr.domain: 51488+ A? bromgr.....cornell.edu. (47) 12:10:03.642697 IP 10.x.x.51.34831 > my.qry.DNS.svr.domain: 5464+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.642937 IP 10.x.x.51.40661 > my.qry.DNS.svr.domain: 25187+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.643922 IP 10.x.x.51.46974 > my.qry.DNS.svr.domain: 45490+ A? bromgr.....cornell.edu. (47) 12:10:03.643940 IP 10.x.x.51.57101 > my.qry.DNS.svr.domain: 14180+ A? bromgr.....cornell.edu. (47) 12:10:03.644927 IP 10.x.x.40.54044 > my.qry.DNS.svr.domain: 44749+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.645166 IP 10.x.x.40.42281 > my.qry.DNS.svr.domain: 25716+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.645913 IP 10.x.x.40.49961 > my.qry.DNS.svr.domain: 31424+ A? bro04.....cornell.edu. (46) 12:10:03.646389 IP 10.x.x.40.57922 > my.qry.DNS.svr.domain: 47813+ A? bro04.....cornell.edu. (46) 12:10:03.646889 IP 10.x.x.40.42234 > my.qry.DNS.svr.domain: 27894+ A? bro04.....cornell.edu. (46) 12:10:03.646905 IP 10.x.x.40.42234 > my.qry.DNS.svr.domain: 63030+ AAAA? bro04.....cornell.edu. (46) 12:10:03.647375 IP 10.x.x.40.34459 > my.qry.DNS.svr.domain: 1273+ A? bro04.....cornell.edu. (46) 12:10:03.647394 IP 10.x.x.40.34459 > my.qry.DNS.svr.domain: 15925+ AAAA? bro04.....cornell.edu. (46) 12:10:03.647620 IP 10.x.x.40.36019 > my.qry.DNS.svr.domain: 45249+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.648114 IP 10.x.x.40.49668 > my.qry.DNS.svr.domain: 38863+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.649104 IP 10.x.x.40.40523 > my.qry.DNS.svr.domain: 31021+ A? bro04.....cornell.edu. (46) 12:10:03.649123 IP 10.x.x.40.40523 > my.qry.DNS.svr.domain: 16036+ AAAA? bro04.....cornell.edu. (46) 12:10:03.649365 IP 10.x.x.40.33467 > my.qry.DNS.svr.domain: 63690+ A? bro04.....cornell.edu. (46) 12:10:03.649381 IP 10.x.x.40.33467 > my.qry.DNS.svr.domain: 45518+ AAAA? bro04.....cornell.edu. (46) 12:10:03.649834 IP 10.x.x.40.42092 > my.qry.DNS.svr.domain: 52077+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.650331 IP 10.x.x.40.49944 > my.qry.DNS.svr.domain: 9829+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.650821 IP 10.x.x.40.57534 > my.qry.DNS.svr.domain: 2085+ A? bro04.....cornell.edu. (46) 12:10:03.650839 IP 10.x.x.40.57534 > my.qry.DNS.svr.domain: 23012+ AAAA? bro04.....cornell.edu. (46) 12:10:03.651312 IP 10.x.x.40.56689 > my.qry.DNS.svr.domain: 37635+ A? bro04.....cornell.edu. (46) 12:10:03.651330 IP 10.x.x.40.56689 > my.qry.DNS.svr.domain: 44201+ AAAA? bro04.....cornell.edu. (46) 12:10:03.651553 IP 10.x.x.40.48014 > my.qry.DNS.svr.domain: 55968+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.652045 IP 10.x.x.40.51822 > my.qry.DNS.svr.domain: 61831+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.652791 IP 10.x.x.40.48122 > my.qry.DNS.svr.domain: 11098+ A? bro04.....cornell.edu. (46) 12:10:03.652809 IP 10.x.x.40.48122 > my.qry.DNS.svr.domain: 20507+ AAAA? bro04.....cornell.edu. (46) 12:10:03.653033 IP 10.x.x.40.54125 > my.qry.DNS.svr.domain: 10968+ A? bro04.....cornell.edu. (46) 12:10:03.653045 IP 10.x.x.40.54125 > my.qry.DNS.svr.domain: 63279+ AAAA? bro04.....cornell.edu. (46) 12:10:03.653547 IP 10.x.x.40.54995 > my.qry.DNS.svr.domain: 51685+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.653770 IP 10.x.x.40.45707 > my.qry.DNS.svr.domain: 14554+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.659938 IP 10.x.x.51.47507 > my.qry.DNS.svr.domain: 2482+ A? bromgr.....cornell.edu. (47) 12:10:03.659973 IP 10.x.x.51.47507 > my.qry.DNS.svr.domain: 33557+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.659983 IP 10.x.x.51.50463 > my.qry.DNS.svr.domain: 62578+ A? bromgr.....cornell.edu. (47) 12:10:03.659991 IP 10.x.x.51.50463 > my.qry.DNS.svr.domain: 43837+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.662122 IP 10.x.x.51.35453 > my.qry.DNS.svr.domain: 5540+ A? bromgr.....cornell.edu. (47) 12:10:03.662141 IP 10.x.x.51.35453 > my.qry.DNS.svr.domain: 63255+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.662367 IP 10.x.x.51.40299 > my.qry.DNS.svr.domain: 65021+ A? bromgr.....cornell.edu. (47) 12:10:03.662384 IP 10.x.x.51.40299 > my.qry.DNS.svr.domain: 7151+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.663340 IP 10.x.x.51.54417 > my.qry.DNS.svr.domain: 31136+ A? bromgr.....cornell.edu. (47) 12:10:03.663355 IP 10.x.x.51.54417 > my.qry.DNS.svr.domain: 818+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.663583 IP 10.x.x.51.41673 > my.qry.DNS.svr.domain: 65489+ A? bromgr.....cornell.edu. (47) 12:10:03.663598 IP 10.x.x.51.41673 > my.qry.DNS.svr.domain: 6080+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.665319 IP 10.x.x.51.56743 > my.qry.DNS.svr.domain: 14858+ A? bromgr.....cornell.edu. (47) 12:10:03.665335 IP 10.x.x.51.56743 > my.qry.DNS.svr.domain: 62592+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.665341 IP 10.x.x.51.35421 > my.qry.DNS.svr.domain: 15555+ A? bromgr.....cornell.edu. (47) 12:10:03.665346 IP 10.x.x.51.35421 > my.qry.DNS.svr.domain: 44418+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.666538 IP 10.x.x.51.45629 > my.qry.DNS.svr.domain: 39142+ A? bromgr.....cornell.edu. (47) 12:10:03.666556 IP 10.x.x.51.44260 > my.qry.DNS.svr.domain: 8942+ A? bromgr.....cornell.edu. (47) 12:10:03.666570 IP 10.x.x.51.45629 > my.qry.DNS.svr.domain: 33051+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.666580 IP 10.x.x.51.44260 > my.qry.DNS.svr.domain: 7606+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.667275 IP 10.x.x.51.54704 > my.qry.DNS.svr.domain: 11311+ A? bromgr.....cornell.edu. (47) 12:10:03.667286 IP 10.x.x.51.54704 > my.qry.DNS.svr.domain: 30540+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.667764 IP 10.x.x.51.49561 > my.qry.DNS.svr.domain: 25551+ A? bromgr.....cornell.edu. (47) 12:10:03.667773 IP 10.x.x.51.49561 > my.qry.DNS.svr.domain: 10740+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.672930 IP 10.x.x.51.56727 > my.qry.DNS.svr.domain: 51056+ A? bromgr.....cornell.edu. (47) 12:10:03.672946 IP 10.x.x.51.56727 > my.qry.DNS.svr.domain: 56828+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.673917 IP 10.x.x.51.54428 > my.qry.DNS.svr.domain: 4039+ A? bromgr.....cornell.edu. (47) 12:10:03.673934 IP 10.x.x.51.54428 > my.qry.DNS.svr.domain: 22938+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.675136 IP 10.x.x.51.51513 > my.qry.DNS.svr.domain: 40753+ A? bromgr.....cornell.edu. (47) 12:10:03.675148 IP 10.x.x.51.51513 > my.qry.DNS.svr.domain: 25041+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.675877 IP 10.x.x.51.32904 > my.qry.DNS.svr.domain: 65387+ A? bromgr.....cornell.edu. (47) 12:10:03.675893 IP 10.x.x.51.32904 > my.qry.DNS.svr.domain: 15630+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.678594 IP 10.x.x.40.35243 > my.qry.DNS.svr.domain: 11941+ A? bro04.....cornell.edu. (46) 12:10:03.678613 IP 10.x.x.40.35243 > my.qry.DNS.svr.domain: 48180+ AAAA? bro04.....cornell.edu. (46) 12:10:03.679328 IP 10.x.x.40.49662 > my.qry.DNS.svr.domain: 39388+ A? bro04.....cornell.edu. (46) 12:10:03.679344 IP 10.x.x.40.49662 > my.qry.DNS.svr.domain: 53667+ AAAA? bro04.....cornell.edu. (46) 12:10:03.689389 IP 10.x.x.51.51874 > my.qry.DNS.svr.domain: 828+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.690377 IP 10.x.x.51.58032 > my.qry.DNS.svr.domain: 6583+ A? bromgr.....cornell.edu. (47) 12:10:03.690616 IP 10.x.x.51.45486 > my.qry.DNS.svr.domain: 34891+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.691601 IP 10.x.x.51.55648 > my.qry.DNS.svr.domain: 7759+ A? bromgr.....cornell.edu. (47) 12:10:03.741743 IP 10.x.x.51.33561 > my.qry.DNS.svr.domain: 64412+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.742717 IP 10.x.x.51.33344 > my.qry.DNS.svr.domain: 28994+ A? bromgr.....cornell.edu. (47) 12:10:03.743464 IP 10.x.x.51.44295 > my.qry.DNS.svr.domain: 30958+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.743965 IP 10.x.x.40.42034 > my.qry.DNS.svr.domain: 20700+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.744199 IP 10.x.x.51.42029 > my.qry.DNS.svr.domain: 34353+ A? bromgr.....cornell.edu. (47) 12:10:03.744695 IP 10.x.x.40.38117 > my.qry.DNS.svr.domain: 23380+ A? bro04.....cornell.edu. (46) 12:10:03.745438 IP 10.x.x.40.42364 > my.qry.DNS.svr.domain: 26552+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.746181 IP 10.x.x.40.39831 > my.qry.DNS.svr.domain: 16925+ A? bro04.....cornell.edu. (46) 12:10:03.746196 IP 10.x.x.40.50769 > my.qry.DNS.svr.domain: 16092+ A? bro04.....cornell.edu. (46) 12:10:03.746201 IP 10.x.x.40.39831 > my.qry.DNS.svr.domain: 8691+ AAAA? bro04.....cornell.edu. (46) 12:10:03.747418 IP 10.x.x.40.59964 > my.qry.DNS.svr.domain: 9283+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.747443 IP 10.x.x.40.41290 > my.qry.DNS.svr.domain: 27945+ A? bro04.....cornell.edu. (46) 12:10:03.747455 IP 10.x.x.40.41290 > my.qry.DNS.svr.domain: 17537+ AAAA? bro04.....cornell.edu. (46) 12:10:03.748134 IP 10.x.x.40.35364 > my.qry.DNS.svr.domain: 22243+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.748636 IP 10.x.x.40.60315 > my.qry.DNS.svr.domain: 39430+ A? bro04.....cornell.edu. (46) 12:10:03.748651 IP 10.x.x.40.60315 > my.qry.DNS.svr.domain: 22738+ AAAA? bro04.....cornell.edu. (46) 12:10:03.749369 IP 10.x.x.40.49802 > my.qry.DNS.svr.domain: 37096+ A? bro04.....cornell.edu. (46) 12:10:03.749383 IP 10.x.x.40.49802 > my.qry.DNS.svr.domain: 23286+ AAAA? bro04.....cornell.edu. (46) 12:10:03.749614 IP 10.x.x.40.53701 > my.qry.DNS.svr.domain: 47669+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.750352 IP 10.x.x.40.58193 > my.qry.DNS.svr.domain: 5268+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.750600 IP 10.x.x.40.55879 > my.qry.DNS.svr.domain: 18668+ A? bro04.....cornell.edu. (46) 12:10:03.750623 IP 10.x.x.40.55879 > my.qry.DNS.svr.domain: 11950+ AAAA? bro04.....cornell.edu. (46) 12:10:03.751338 IP 10.x.x.40.60373 > my.qry.DNS.svr.domain: 32904+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.751357 IP 10.x.x.40.59728 > my.qry.DNS.svr.domain: 56954+ A? bro04.....cornell.edu. (46) 12:10:03.751364 IP 10.x.x.40.59728 > my.qry.DNS.svr.domain: 53353+ AAAA? bro04.....cornell.edu. (46) 12:10:03.752248 IP 10.x.x.40.33341 > my.qry.DNS.svr.domain: 50876+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.752584 IP 10.x.x.40.34266 > my.qry.DNS.svr.domain: 16089+ A? bro04.....cornell.edu. (46) 12:10:03.752597 IP 10.x.x.40.34266 > my.qry.DNS.svr.domain: 6197+ AAAA? bro04.....cornell.edu. (46) 12:10:03.753338 IP 10.x.x.40.58616 > my.qry.DNS.svr.domain: 11578+ A? bro04.....cornell.edu. (46) 12:10:03.753352 IP 10.x.x.40.58616 > my.qry.DNS.svr.domain: 63678+ AAAA? bro04.....cornell.edu. (46) 12:10:03.753357 IP 10.x.x.40.57539 > my.qry.DNS.svr.domain: 25133+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.754285 IP 10.x.x.40.52981 > my.qry.DNS.svr.domain: 26244+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.759197 IP 10.x.x.51.35230 > my.qry.DNS.svr.domain: 9990+ A? bromgr.....cornell.edu. (47) 12:10:03.759216 IP 10.x.x.51.35230 > my.qry.DNS.svr.domain: 54751+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.759681 IP 10.x.x.51.57992 > my.qry.DNS.svr.domain: 43026+ A? bromgr.....cornell.edu. (47) 12:10:03.759696 IP 10.x.x.51.57992 > my.qry.DNS.svr.domain: 33534+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.761176 IP 10.x.x.51.54067 > my.qry.DNS.svr.domain: 48957+ A? bromgr.....cornell.edu. (47) 12:10:03.761192 IP 10.x.x.51.54067 > my.qry.DNS.svr.domain: 38309+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.761650 IP 10.x.x.51.41863 > my.qry.DNS.svr.domain: 37965+ A? bromgr.....cornell.edu. (47) 12:10:03.761664 IP 10.x.x.51.41863 > my.qry.DNS.svr.domain: 50855+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.762402 IP 10.x.x.51.49070 > my.qry.DNS.svr.domain: 54157+ A? bromgr.....cornell.edu. (47) 12:10:03.762417 IP 10.x.x.51.49070 > my.qry.DNS.svr.domain: 9601+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.762876 IP 10.x.x.51.58947 > my.qry.DNS.svr.domain: 16445+ A? bromgr.....cornell.edu. (47) 12:10:03.762888 IP 10.x.x.51.58947 > my.qry.DNS.svr.domain: 27359+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.764846 IP 10.x.x.51.50594 > my.qry.DNS.svr.domain: 57165+ A? bromgr.....cornell.edu. (47) 12:10:03.764861 IP 10.x.x.51.50594 > my.qry.DNS.svr.domain: 41316+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.765087 IP 10.x.x.51.54548 > my.qry.DNS.svr.domain: 18341+ A? bromgr.....cornell.edu. (47) 12:10:03.765100 IP 10.x.x.51.54548 > my.qry.DNS.svr.domain: 37025+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.766063 IP 10.x.x.51.44621 > my.qry.DNS.svr.domain: 65369+ A? bromgr.....cornell.edu. (47) 12:10:03.766076 IP 10.x.x.51.44621 > my.qry.DNS.svr.domain: 45376+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.766311 IP 10.x.x.51.39967 > my.qry.DNS.svr.domain: 39162+ A? bromgr.....cornell.edu. (47) 12:10:03.766323 IP 10.x.x.51.39967 > my.qry.DNS.svr.domain: 544+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.766815 IP 10.x.x.51.50759 > my.qry.DNS.svr.domain: 6029+ A? bromgr.....cornell.edu. (47) 12:10:03.766826 IP 10.x.x.51.50759 > my.qry.DNS.svr.domain: 38371+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.767067 IP 10.x.x.51.36250 > my.qry.DNS.svr.domain: 29799+ A? bromgr.....cornell.edu. (47) 12:10:03.767075 IP 10.x.x.51.36250 > my.qry.DNS.svr.domain: 43705+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.772217 IP 10.x.x.51.turbonote-2 > my.qry.DNS.svr.domain: 51102+ A? bromgr.....cornell.edu. (47) 12:10:03.772234 IP 10.x.x.51.turbonote-2 > my.qry.DNS.svr.domain: 58726+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.773201 IP 10.x.x.51.57423 > my.qry.DNS.svr.domain: 49984+ A? bromgr.....cornell.edu. (47) 12:10:03.773215 IP 10.x.x.51.57423 > my.qry.DNS.svr.domain: 5415+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.774674 IP 10.x.x.51.40802 > my.qry.DNS.svr.domain: 52135+ A? bromgr.....cornell.edu. (47) 12:10:03.774692 IP 10.x.x.51.40802 > my.qry.DNS.svr.domain: 6449+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.775413 IP 10.x.x.51.58469 > my.qry.DNS.svr.domain: 21302+ A? bromgr.....cornell.edu. (47) 12:10:03.775430 IP 10.x.x.51.58469 > my.qry.DNS.svr.domain: 39236+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.778865 IP 10.x.x.40.52827 > my.qry.DNS.svr.domain: 18965+ A? bro04.....cornell.edu. (46) 12:10:03.778883 IP 10.x.x.40.52827 > my.qry.DNS.svr.domain: 7702+ AAAA? bro04.....cornell.edu. (46) 12:10:03.779106 IP 10.x.x.40.43294 > my.qry.DNS.svr.domain: 15054+ A? bro04.....cornell.edu. (46) 12:10:03.779125 IP 10.x.x.40.43294 > my.qry.DNS.svr.domain: 38280+ AAAA? bro04.....cornell.edu. (46) 12:10:03.788695 IP 10.x.x.51.40628 > my.qry.DNS.svr.domain: 5716+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.788711 IP 10.x.x.51.46573 > my.qry.DNS.svr.domain: 59506+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.789664 IP 10.x.x.51.59736 > my.qry.DNS.svr.domain: 47289+ A? bromgr.....cornell.edu. (47) 12:10:03.789930 IP 10.x.x.51.57391 > my.qry.DNS.svr.domain: 6856+ A? bromgr.....cornell.edu. (47) 12:10:03.822605 IP 10.x.x.7.45068 > 132.236.56.250.domain: 6573+ PTR? 42.6.236.132.in-addr.arpa. (43) 12:10:03.823583 IP 10.x.x.7.56369 > 132.236.56.250.domain: 36190+ A? dhcp21.astro.cornell.edu. (42) 12:10:03.823597 IP 10.x.x.7.56369 > 132.236.56.250.domain: 14628+ AAAA? dhcp21.astro.cornell.edu. (42) 12:10:03.837826 IP 10.x.x.51.38291 > my.qry.DNS.svr.domain: 39015+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.837843 IP 10.x.x.51.42630 > my.qry.DNS.svr.domain: 63078+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.838820 IP 10.x.x.51.60917 > my.qry.DNS.svr.domain: 1081+ A? bromgr.....cornell.edu. (47) 12:10:03.838834 IP 10.x.x.51.49036 > my.qry.DNS.svr.domain: 23098+ A? bromgr.....cornell.edu. (47) 12:10:03.839335 IP 10.x.x.7.40983 > 132.236.56.250.domain: 26481+ PTR? 46.95.236.132.in-addr.arpa. (44) 12:10:03.840052 IP 10.x.x.40.60731 > my.qry.DNS.svr.domain: 33827+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.840551 IP 10.x.x.7.34008 > 132.236.56.250.domain: 50586+ A? cohen-pc-c7.ccmr.cornell.edu. (46) 12:10:03.840567 IP 10.x.x.7.34008 > 132.236.56.250.domain: 29649+ AAAA? cohen-pc-c7.ccmr.cornell.edu. (46) 12:10:03.841303 IP 10.x.x.40.52858 > my.qry.DNS.svr.domain: 9775+ A? bro04.....cornell.edu. (46) 12:10:03.841772 IP 10.x.x.40.43025 > my.qry.DNS.svr.domain: 613+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.841773 IP 10.x.x.7.48534 > 132.236.56.250.domain: 29991+ PTR? 53.111.236.132.in-addr.arpa. (45) 12:10:03.842276 IP 10.x.x.40.45059 > my.qry.DNS.svr.domain: 9275+ A? bro04.....cornell.edu. (46) 12:10:03.842294 IP 10.x.x.40.45059 > my.qry.DNS.svr.domain: 46671+ AAAA? bro04.....cornell.edu. (46) 12:10:03.842524 IP 10.x.x.40.53279 > my.qry.DNS.svr.domain: 4222+ A? bro04.....cornell.edu. (46) 12:10:03.843007 IP 10.x.x.7.59759 > 132.236.56.250.domain: 974+ A? asf3.eeb.cornell.edu. (38) 12:10:03.843023 IP 10.x.x.7.59759 > 132.236.56.250.domain: 37254+ AAAA? asf3.eeb.cornell.edu. (38) 12:10:03.843023 IP 10.x.x.40.47678 > my.qry.DNS.svr.domain: 45064+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.843495 IP 10.x.x.40.48590 > my.qry.DNS.svr.domain: 65027+ A? bro04.....cornell.edu. (46) 12:10:03.843509 IP 10.x.x.40.48590 > my.qry.DNS.svr.domain: 5267+ AAAA? bro04.....cornell.edu. (46) 12:10:03.844274 IP 10.x.x.40.36419 > my.qry.DNS.svr.domain: 6892+ A? bro04.....cornell.edu. (46) 12:10:03.844287 IP 10.x.x.40.36419 > my.qry.DNS.svr.domain: 25816+ AAAA? bro04.....cornell.edu. (46) 12:10:03.844473 IP 10.x.x.40.52528 > my.qry.DNS.svr.domain: 37429+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.844970 IP 10.x.x.40.43843 > my.qry.DNS.svr.domain: 12882+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.845713 IP 10.x.x.40.37052 > my.qry.DNS.svr.domain: 14575+ A? bro04.....cornell.edu. (46) 12:10:03.845731 IP 10.x.x.40.37052 > my.qry.DNS.svr.domain: 11953+ AAAA? bro04.....cornell.edu. (46) 12:10:03.846207 IP 10.x.x.40.57811 > my.qry.DNS.svr.domain: 40077+ A? bro04.....cornell.edu. (46) 12:10:03.846221 IP 10.x.x.40.57811 > my.qry.DNS.svr.domain: 5841+ AAAA? bro04.....cornell.edu. (46) 12:10:03.846694 IP 10.x.x.40.34806 > my.qry.DNS.svr.domain: 10289+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.847188 IP 10.x.x.40.57267 > my.qry.DNS.svr.domain: 18490+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.847686 IP 10.x.x.40.55669 > my.qry.DNS.svr.domain: 16624+ A? bro04.....cornell.edu. (46) 12:10:03.847699 IP 10.x.x.40.55669 > my.qry.DNS.svr.domain: 36023+ AAAA? bro04.....cornell.edu. (46) 12:10:03.848422 IP 10.x.x.40.40645 > my.qry.DNS.svr.domain: 63722+ A? bro04.....cornell.edu. (46) 12:10:03.848436 IP 10.x.x.40.40645 > my.qry.DNS.svr.domain: 55459+ AAAA? bro04.....cornell.edu. (46) 12:10:03.848653 IP 10.x.x.40.48753 > my.qry.DNS.svr.domain: 27893+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.849142 IP 10.x.x.40.58028 > my.qry.DNS.svr.domain: 17308+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.849638 IP 10.x.x.40.44698 > my.qry.DNS.svr.domain: 53169+ A? bro04.....cornell.edu. (46) 12:10:03.849654 IP 10.x.x.40.44698 > my.qry.DNS.svr.domain: 49782+ AAAA? bro04.....cornell.edu. (46) 12:10:03.850634 IP 10.x.x.40.33600 > my.qry.DNS.svr.domain: 19761+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.854558 IP 10.x.x.51.53578 > my.qry.DNS.svr.domain: 52226+ A? bromgr.....cornell.edu. (47) 12:10:03.854577 IP 10.x.x.51.53578 > my.qry.DNS.svr.domain: 8934+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.855779 IP 10.x.x.51.48679 > my.qry.DNS.svr.domain: 9470+ A? bromgr.....cornell.edu. (47) 12:10:03.855796 IP 10.x.x.51.48679 > my.qry.DNS.svr.domain: 44248+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.856523 IP 10.x.x.51.52859 > my.qry.DNS.svr.domain: 21737+ A? bromgr.....cornell.edu. (47) 12:10:03.856549 IP 10.x.x.51.52859 > my.qry.DNS.svr.domain: 64247+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.857512 IP 10.x.x.51.43124 > my.qry.DNS.svr.domain: 3080+ A? bromgr.....cornell.edu. (47) 12:10:03.857536 IP 10.x.x.51.43124 > my.qry.DNS.svr.domain: 12351+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.858244 IP 10.x.x.51.52833 > my.qry.DNS.svr.domain: 44240+ A? bromgr.....cornell.edu. (47) 12:10:03.858263 IP 10.x.x.51.52833 > my.qry.DNS.svr.domain: 20148+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.858723 IP 10.x.x.51.56721 > my.qry.DNS.svr.domain: 54876+ A? bromgr.....cornell.edu. (47) 12:10:03.858740 IP 10.x.x.51.56721 > my.qry.DNS.svr.domain: 3205+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.859969 IP 10.x.x.51.51494 > my.qry.DNS.svr.domain: 49380+ A? bromgr.....cornell.edu. (47) 12:10:03.859994 IP 10.x.x.51.51494 > my.qry.DNS.svr.domain: 7729+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.860446 IP 10.x.x.51.43590 > my.qry.DNS.svr.domain: 16571+ A? bromgr.....cornell.edu. (47) 12:10:03.860463 IP 10.x.x.51.43590 > my.qry.DNS.svr.domain: 55305+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.861175 IP 10.x.x.51.46109 > my.qry.DNS.svr.domain: 20706+ A? bromgr.....cornell.edu. (47) 12:10:03.861190 IP 10.x.x.51.46109 > my.qry.DNS.svr.domain: 63002+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.861667 IP 10.x.x.51.45579 > my.qry.DNS.svr.domain: 25003+ A? bromgr.....cornell.edu. (47) 12:10:03.861679 IP 10.x.x.51.45579 > my.qry.DNS.svr.domain: 47837+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.861922 IP 10.x.x.51.46319 > my.qry.DNS.svr.domain: 2963+ A? bromgr.....cornell.edu. (47) 12:10:03.861946 IP 10.x.x.51.46319 > my.qry.DNS.svr.domain: 48147+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.862422 IP 10.x.x.51.54475 > my.qry.DNS.svr.domain: 6157+ A? bromgr.....cornell.edu. (47) 12:10:03.862431 IP 10.x.x.51.54475 > my.qry.DNS.svr.domain: 46662+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.865854 IP 10.x.x.51.60930 > my.qry.DNS.svr.domain: 48248+ A? bromgr.....cornell.edu. (47) 12:10:03.865870 IP 10.x.x.51.60930 > my.qry.DNS.svr.domain: 12982+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.866841 IP 10.x.x.51.57861 > my.qry.DNS.svr.domain: 7419+ A? bromgr.....cornell.edu. (47) 12:10:03.866858 IP 10.x.x.51.57861 > my.qry.DNS.svr.domain: 65097+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.868065 IP 10.x.x.51.37961 > my.qry.DNS.svr.domain: 64640+ A? bromgr.....cornell.edu. (47) 12:10:03.868082 IP 10.x.x.51.37961 > my.qry.DNS.svr.domain: 31423+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.868802 IP 10.x.x.51.59560 > my.qry.DNS.svr.domain: 34863+ A? bromgr.....cornell.edu. (47) 12:10:03.868819 IP 10.x.x.51.59560 > my.qry.DNS.svr.domain: 22183+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.872010 IP 10.x.x.40.38419 > my.qry.DNS.svr.domain: 31280+ A? bro04.....cornell.edu. (46) 12:10:03.872026 IP 10.x.x.40.38419 > my.qry.DNS.svr.domain: 10319+ AAAA? bro04.....cornell.edu. (46) 12:10:03.873235 IP 10.x.x.40.56740 > my.qry.DNS.svr.domain: 53377+ A? bro04.....cornell.edu. (46) 12:10:03.873257 IP 10.x.x.40.56740 > my.qry.DNS.svr.domain: 45037+ AAAA? bro04.....cornell.edu. (46) 12:10:03.877644 IP 10.x.x.51.47550 > my.qry.DNS.svr.domain: 53969+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.878881 IP 10.x.x.51.37703 > my.qry.DNS.svr.domain: 117+ A? bromgr.....cornell.edu. (47) 12:10:03.878897 IP 10.x.x.51.43153 > my.qry.DNS.svr.domain: 59302+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.879874 IP 10.x.x.51.58170 > my.qry.DNS.svr.domain: 44403+ A? bromgr.....cornell.edu. (47) 12:10:03.925809 IP 10.x.x.51.50466 > my.qry.DNS.svr.domain: 61202+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.926058 IP 10.x.x.51.55620 > my.qry.DNS.svr.domain: 54015+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.927040 IP 10.x.x.51.41344 > my.qry.DNS.svr.domain: 41289+ A? bromgr.....cornell.edu. (47) 12:10:03.927055 IP 10.x.x.51.52208 > my.qry.DNS.svr.domain: 47669+ A? bromgr.....cornell.edu. (47) 12:10:03.928283 IP 10.x.x.40.55186 > my.qry.DNS.svr.domain: 61808+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.928298 IP 10.x.x.40.49328 > my.qry.DNS.svr.domain: 26331+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.929022 IP 10.x.x.40.58278 > my.qry.DNS.svr.domain: 8986+ A? bro04.....cornell.edu. (46) 12:10:03.929516 IP 10.x.x.40.52614 > my.qry.DNS.svr.domain: 25825+ A? bro04.....cornell.edu. (46) 12:10:03.930245 IP 10.x.x.40.39759 > my.qry.DNS.svr.domain: 8536+ A? bro04.....cornell.edu. (46) 12:10:03.930261 IP 10.x.x.40.39759 > my.qry.DNS.svr.domain: 50081+ AAAA? bro04.....cornell.edu. (46) 12:10:03.930748 IP 10.x.x.40.47650 > my.qry.DNS.svr.domain: 21152+ A? bro04.....cornell.edu. (46) 12:10:03.930761 IP 10.x.x.40.47650 > my.qry.DNS.svr.domain: 20584+ AAAA? bro04.....cornell.edu. (46) 12:10:03.931000 IP 10.x.x.40.41793 > my.qry.DNS.svr.domain: 11698+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.931466 IP 10.x.x.40.44292 > my.qry.DNS.svr.domain: 25175+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.932710 IP 10.x.x.40.49317 > my.qry.DNS.svr.domain: 37077+ A? bro04.....cornell.edu. (46) 12:10:03.932730 IP 10.x.x.40.49317 > my.qry.DNS.svr.domain: 45662+ AAAA? bro04.....cornell.edu. (46) 12:10:03.932966 IP 10.x.x.40.47716 > my.qry.DNS.svr.domain: 51988+ A? bro04.....cornell.edu. (46) 12:10:03.932982 IP 10.x.x.40.47716 > my.qry.DNS.svr.domain: 35202+ AAAA? bro04.....cornell.edu. (46) 12:10:03.933437 IP 10.x.x.40.33003 > my.qry.DNS.svr.domain: 64555+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.934177 IP 10.x.x.40.50049 > my.qry.DNS.svr.domain: 41899+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.934425 IP 10.x.x.40.40359 > my.qry.DNS.svr.domain: 36370+ A? bro04.....cornell.edu. (46) 12:10:03.934439 IP 10.x.x.40.40359 > my.qry.DNS.svr.domain: 27649+ AAAA? bro04.....cornell.edu. (46) 12:10:03.935162 IP 10.x.x.40.34741 > my.qry.DNS.svr.domain: 8861+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.935421 IP 10.x.x.40.37638 > my.qry.DNS.svr.domain: 12731+ A? bro04.....cornell.edu. (46) 12:10:03.935439 IP 10.x.x.40.37638 > my.qry.DNS.svr.domain: 25555+ AAAA? bro04.....cornell.edu. (46) 12:10:03.936141 IP 10.x.x.40.35180 > my.qry.DNS.svr.domain: 15658+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.936387 IP 10.x.x.40.45494 > my.qry.DNS.svr.domain: 29865+ A? bro04.....cornell.edu. (46) 12:10:03.936401 IP 10.x.x.40.45494 > my.qry.DNS.svr.domain: 55997+ AAAA? bro04.....cornell.edu. (46) 12:10:03.937124 IP 10.x.x.40.41689 > my.qry.DNS.svr.domain: 57595+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.937374 IP 10.x.x.40.38214 > my.qry.DNS.svr.domain: 40886+ A? bro04.....cornell.edu. (46) 12:10:03.937388 IP 10.x.x.40.38214 > my.qry.DNS.svr.domain: 40267+ AAAA? bro04.....cornell.edu. (46) 12:10:03.938108 IP 10.x.x.40.56823 > my.qry.DNS.svr.domain: 46909+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:03.943263 IP 10.x.x.51.53265 > my.qry.DNS.svr.domain: 39064+ A? bromgr.....cornell.edu. (47) 12:10:03.943278 IP 10.x.x.51.53265 > my.qry.DNS.svr.domain: 40480+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.943760 IP 10.x.x.51.53885 > my.qry.DNS.svr.domain: 35166+ A? bromgr.....cornell.edu. (47) 12:10:03.943774 IP 10.x.x.51.53885 > my.qry.DNS.svr.domain: 47490+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.945236 IP 10.x.x.51.60016 > my.qry.DNS.svr.domain: 15517+ A? bromgr.....cornell.edu. (47) 12:10:03.945251 IP 10.x.x.51.60016 > my.qry.DNS.svr.domain: 52773+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.945484 IP 10.x.x.51.43392 > my.qry.DNS.svr.domain: 34678+ A? bromgr.....cornell.edu. (47) 12:10:03.945497 IP 10.x.x.51.43392 > my.qry.DNS.svr.domain: 58739+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.946462 IP 10.x.x.51.46220 > my.qry.DNS.svr.domain: 56379+ A? bromgr.....cornell.edu. (47) 12:10:03.946480 IP 10.x.x.51.46220 > my.qry.DNS.svr.domain: 13916+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.946710 IP 10.x.x.51.51992 > my.qry.DNS.svr.domain: 64785+ A? bromgr.....cornell.edu. (47) 12:10:03.946724 IP 10.x.x.51.51992 > my.qry.DNS.svr.domain: 64954+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.949169 IP 10.x.x.51.36764 > my.qry.DNS.svr.domain: 2488+ A? bromgr.....cornell.edu. (47) 12:10:03.949184 IP 10.x.x.51.36764 > my.qry.DNS.svr.domain: 34297+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.949191 IP 10.x.x.51.32869 > my.qry.DNS.svr.domain: 54114+ A? bromgr.....cornell.edu. (47) 12:10:03.949195 IP 10.x.x.51.32869 > my.qry.DNS.svr.domain: 56489+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.950392 IP 10.x.x.51.43583 > my.qry.DNS.svr.domain: 12163+ A? bromgr.....cornell.edu. (47) 12:10:03.950411 IP 10.x.x.51.43583 > my.qry.DNS.svr.domain: 1372+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.950644 IP 10.x.x.51.56256 > my.qry.DNS.svr.domain: 53379+ A? bromgr.....cornell.edu. (47) 12:10:03.950661 IP 10.x.x.51.56256 > my.qry.DNS.svr.domain: 7862+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.951126 IP 10.x.x.51.57779 > my.qry.DNS.svr.domain: 65461+ A? bromgr.....cornell.edu. (47) 12:10:03.951140 IP 10.x.x.51.57779 > my.qry.DNS.svr.domain: 37144+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.951379 IP 10.x.x.51.45240 > my.qry.DNS.svr.domain: 205+ A? bromgr.....cornell.edu. (47) 12:10:03.951396 IP 10.x.x.51.45240 > my.qry.DNS.svr.domain: 56043+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.956290 IP 10.x.x.51.44185 > my.qry.DNS.svr.domain: 54264+ A? bromgr.....cornell.edu. (47) 12:10:03.956306 IP 10.x.x.51.44185 > my.qry.DNS.svr.domain: 56804+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.957270 IP 10.x.x.51.32871 > my.qry.DNS.svr.domain: 59171+ A? bromgr.....cornell.edu. (47) 12:10:03.957283 IP 10.x.x.51.32871 > my.qry.DNS.svr.domain: 31083+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.958270 IP 10.x.x.51.54368 > my.qry.DNS.svr.domain: 64323+ A? bromgr.....cornell.edu. (47) 12:10:03.958288 IP 10.x.x.51.54368 > my.qry.DNS.svr.domain: 12580+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.958996 IP 10.x.x.51.46102 > my.qry.DNS.svr.domain: 15225+ A? bromgr.....cornell.edu. (47) 12:10:03.959012 IP 10.x.x.51.46102 > my.qry.DNS.svr.domain: 36309+ AAAA? bromgr.....cornell.edu. (47) 12:10:03.963176 IP 10.x.x.40.50745 > my.qry.DNS.svr.domain: 33672+ A? bro04.....cornell.edu. (46) 12:10:03.963196 IP 10.x.x.40.50745 > my.qry.DNS.svr.domain: 52218+ AAAA? bro04.....cornell.edu. (46) 12:10:03.963432 IP 10.x.x.40.37957 > my.qry.DNS.svr.domain: 15389+ A? bro04.....cornell.edu. (46) 12:10:03.963449 IP 10.x.x.40.37957 > my.qry.DNS.svr.domain: 36391+ AAAA? bro04.....cornell.edu. (46) 12:10:03.973264 IP 10.x.x.51.39660 > my.qry.DNS.svr.domain: 43047+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.973283 IP 10.x.x.51.51884 > my.qry.DNS.svr.domain: 32644+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:03.974238 IP 10.x.x.51.53402 > my.qry.DNS.svr.domain: 26142+ A? bromgr.....cornell.edu. (47) 12:10:03.974253 IP 10.x.x.51.51574 > my.qry.DNS.svr.domain: 45435+ A? bromgr.....cornell.edu. (47) 12:10:04.027809 IP 10.x.x.51.54486 > my.qry.DNS.svr.domain: 26378+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.027824 IP 10.x.x.51.47084 > my.qry.DNS.svr.domain: 60588+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.028796 IP 10.x.x.51.60001 > my.qry.DNS.svr.domain: 21179+ A? bromgr.....cornell.edu. (47) 12:10:04.028814 IP 10.x.x.51.48011 > my.qry.DNS.svr.domain: 1303+ A? bromgr.....cornell.edu. (47) 12:10:04.030027 IP 10.x.x.40.59350 > my.qry.DNS.svr.domain: 18590+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.030047 IP 10.x.x.40.33445 > my.qry.DNS.svr.domain: 38527+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.031023 IP 10.x.x.40.34778 > my.qry.DNS.svr.domain: 3706+ A? bro04.....cornell.edu. (46) 12:10:04.031041 IP 10.x.x.40.35122 > my.qry.DNS.svr.domain: 61856+ A? bro04.....cornell.edu. (46) 12:10:04.032021 IP 10.x.x.40.47136 > my.qry.DNS.svr.domain: 19464+ A? bro04.....cornell.edu. (46) 12:10:04.032043 IP 10.x.x.40.47136 > my.qry.DNS.svr.domain: 37537+ AAAA? bro04.....cornell.edu. (46) 12:10:04.032257 IP 10.x.x.40.38357 > my.qry.DNS.svr.domain: 16139+ A? bro04.....cornell.edu. (46) 12:10:04.032277 IP 10.x.x.40.38357 > my.qry.DNS.svr.domain: 14718+ AAAA? bro04.....cornell.edu. (46) 12:10:04.032726 IP 10.x.x.40.49741 > my.qry.DNS.svr.domain: 46283+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.032971 IP 10.x.x.40.41308 > my.qry.DNS.svr.domain: 58294+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.034227 IP 10.x.x.40.50780 > my.qry.DNS.svr.domain: 50806+ A? bro04.....cornell.edu. (46) 12:10:04.034244 IP 10.x.x.40.50780 > my.qry.DNS.svr.domain: 53289+ AAAA? bro04.....cornell.edu. (46) 12:10:04.034250 IP 10.x.x.40.60518 > my.qry.DNS.svr.domain: 1965+ A? bro04.....cornell.edu. (46) 12:10:04.034255 IP 10.x.x.40.60518 > my.qry.DNS.svr.domain: 2990+ AAAA? bro04.....cornell.edu. (46) 12:10:04.034953 IP 10.x.x.40.47870 > my.qry.DNS.svr.domain: 16718+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.035190 IP 10.x.x.40.52707 > my.qry.DNS.svr.domain: 35386+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.036178 IP 10.x.x.40.34043 > my.qry.DNS.svr.domain: 10254+ A? bro04.....cornell.edu. (46) 12:10:04.036194 IP 10.x.x.40.34043 > my.qry.DNS.svr.domain: 6104+ AAAA? bro04.....cornell.edu. (46) 12:10:04.036200 IP 10.x.x.40.58223 > my.qry.DNS.svr.domain: 56805+ A? bro04.....cornell.edu. (46) 12:10:04.036205 IP 10.x.x.40.58223 > my.qry.DNS.svr.domain: 54424+ AAAA? bro04.....cornell.edu. (46) 12:10:04.037157 IP 10.x.x.40.35384 > my.qry.DNS.svr.domain: 29574+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.037177 IP 10.x.x.40.52872 > my.qry.DNS.svr.domain: 28246+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.038135 IP 10.x.x.40.54052 > my.qry.DNS.svr.domain: 15298+ A? bro04.....cornell.edu. (46) 12:10:04.038150 IP 10.x.x.40.54052 > my.qry.DNS.svr.domain: 34565+ AAAA? bro04.....cornell.edu. (46) 12:10:04.038386 IP 10.x.x.40.34534 > my.qry.DNS.svr.domain: 30529+ A? bro04.....cornell.edu. (46) 12:10:04.038404 IP 10.x.x.40.34534 > my.qry.DNS.svr.domain: 37944+ AAAA? bro04.....cornell.edu. (46) 12:10:04.038881 IP 10.x.x.40.48451 > my.qry.DNS.svr.domain: 36731+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.039121 IP 10.x.x.40.51319 > my.qry.DNS.svr.domain: 36084+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.045503 IP 10.x.x.51.35666 > my.qry.DNS.svr.domain: 36528+ A? bromgr.....cornell.edu. (47) 12:10:04.045522 IP 10.x.x.51.35666 > my.qry.DNS.svr.domain: 19122+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.045756 IP 10.x.x.51.48616 > my.qry.DNS.svr.domain: 9931+ A? bromgr.....cornell.edu. (47) 12:10:04.045773 IP 10.x.x.51.48616 > my.qry.DNS.svr.domain: 21404+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.047490 IP 10.x.x.51.38196 > my.qry.DNS.svr.domain: 16910+ A? bromgr.....cornell.edu. (47) 12:10:04.047508 IP 10.x.x.51.38196 > my.qry.DNS.svr.domain: 65142+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.047516 IP 10.x.x.51.32886 > my.qry.DNS.svr.domain: 53122+ A? bromgr.....cornell.edu. (47) 12:10:04.047525 IP 10.x.x.51.32886 > my.qry.DNS.svr.domain: 33654+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.048715 IP 10.x.x.51.42394 > my.qry.DNS.svr.domain: 24013+ A? bromgr.....cornell.edu. (47) 12:10:04.048733 IP 10.x.x.51.42394 > my.qry.DNS.svr.domain: 42800+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.048742 IP 10.x.x.51.58229 > my.qry.DNS.svr.domain: 17108+ A? bromgr.....cornell.edu. (47) 12:10:04.048751 IP 10.x.x.51.58229 > my.qry.DNS.svr.domain: 54842+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.050455 IP 10.x.x.51.34437 > my.qry.DNS.svr.domain: 34589+ A? bromgr.....cornell.edu. (47) 12:10:04.050475 IP 10.x.x.51.34437 > my.qry.DNS.svr.domain: 38697+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.050484 IP 10.x.x.51.40949 > my.qry.DNS.svr.domain: 58972+ A? bromgr.....cornell.edu. (47) 12:10:04.050493 IP 10.x.x.51.40949 > my.qry.DNS.svr.domain: 1704+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.051900 IP 10.x.x.51.51848 > my.qry.DNS.svr.domain: 56457+ A? bromgr.....cornell.edu. (47) 12:10:04.051914 IP 10.x.x.51.56246 > my.qry.DNS.svr.domain: 33905+ A? bromgr.....cornell.edu. (47) 12:10:04.051922 IP 10.x.x.51.51848 > my.qry.DNS.svr.domain: 15078+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.051931 IP 10.x.x.51.56246 > my.qry.DNS.svr.domain: 50620+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.052651 IP 10.x.x.51.53811 > my.qry.DNS.svr.domain: 33567+ A? bromgr.....cornell.edu. (47) 12:10:04.052668 IP 10.x.x.51.53811 > my.qry.DNS.svr.domain: 53346+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.053131 IP 10.x.x.51.59657 > my.qry.DNS.svr.domain: 32948+ A? bromgr.....cornell.edu. (47) 12:10:04.053147 IP 10.x.x.51.59657 > my.qry.DNS.svr.domain: 60341+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.056323 IP 10.x.x.51.55769 > my.qry.DNS.svr.domain: 61369+ A? bromgr.....cornell.edu. (47) 12:10:04.056340 IP 10.x.x.51.55769 > my.qry.DNS.svr.domain: 24520+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.057314 IP 10.x.x.51.47152 > my.qry.DNS.svr.domain: 29113+ A? bromgr.....cornell.edu. (47) 12:10:04.057328 IP 10.x.x.51.47152 > my.qry.DNS.svr.domain: 33717+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.058287 IP 10.x.x.51.38908 > my.qry.DNS.svr.domain: 1330+ A? bromgr.....cornell.edu. (47) 12:10:04.058303 IP 10.x.x.51.38908 > my.qry.DNS.svr.domain: 34742+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.059030 IP 10.x.x.51.52192 > my.qry.DNS.svr.domain: 42432+ A? bromgr.....cornell.edu. (47) 12:10:04.059048 IP 10.x.x.51.52192 > my.qry.DNS.svr.domain: 24530+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.062232 IP 10.x.x.40.35812 > my.qry.DNS.svr.domain: 17587+ A? bro04.....cornell.edu. (46) 12:10:04.062247 IP 10.x.x.40.35812 > my.qry.DNS.svr.domain: 37970+ AAAA? bro04.....cornell.edu. (46) 12:10:04.065184 IP 10.x.x.40.52700 > my.qry.DNS.svr.domain: 29007+ A? bro04.....cornell.edu. (46) 12:10:04.065200 IP 10.x.x.40.52700 > my.qry.DNS.svr.domain: 44437+ AAAA? bro04.....cornell.edu. (46) 12:10:04.067876 IP 10.x.x.51.51444 > my.qry.DNS.svr.domain: 44473+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.068849 IP 10.x.x.51.54868 > my.qry.DNS.svr.domain: 10144+ A? bromgr.....cornell.edu. (47) 12:10:04.070825 IP 10.x.x.51.58880 > my.qry.DNS.svr.domain: 21274+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.071560 IP 10.x.x.51.58823 > my.qry.DNS.svr.domain: 49485+ A? bromgr.....cornell.edu. (47) 12:10:04.115791 IP 10.x.x.51.52650 > my.qry.DNS.svr.domain: 24611+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.116779 IP 10.x.x.51.35241 > my.qry.DNS.svr.domain: 40360+ A? bromgr.....cornell.edu. (47) 12:10:04.117776 IP 10.x.x.51.43608 > my.qry.DNS.svr.domain: 42949+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.118017 IP 10.x.x.40.55407 > my.qry.DNS.svr.domain: 62388+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.118499 IP 10.x.x.51.43603 > my.qry.DNS.svr.domain: 22978+ A? bromgr.....cornell.edu. (47) 12:10:04.118766 IP 10.x.x.40.59653 > my.qry.DNS.svr.domain: 42105+ A? bro04.....cornell.edu. (46) 12:10:04.119738 IP 10.x.x.40.55846 > my.qry.DNS.svr.domain: 26883+ A? bro04.....cornell.edu. (46) 12:10:04.119753 IP 10.x.x.40.45151 > my.qry.DNS.svr.domain: 34423+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.119759 IP 10.x.x.40.55846 > my.qry.DNS.svr.domain: 24213+ AAAA? bro04.....cornell.edu. (46) 12:10:04.120484 IP 10.x.x.40.59376 > my.qry.DNS.svr.domain: 12085+ A? bro04.....cornell.edu. (46) 12:10:04.120718 IP 10.x.x.40.48938 > my.qry.DNS.svr.domain: 17270+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.121725 IP 10.x.x.40.60474 > my.qry.DNS.svr.domain: 5496+ A? bro04.....cornell.edu. (46) 12:10:04.121731 IP 10.x.x.40.60474 > my.qry.DNS.svr.domain: 26563+ AAAA? bro04.....cornell.edu. (46) 12:10:04.122191 IP 10.x.x.40.39389 > my.qry.DNS.svr.domain: 4125+ A? bro04.....cornell.edu. (46) 12:10:04.122201 IP 10.x.x.40.39389 > my.qry.DNS.svr.domain: 19920+ AAAA? bro04.....cornell.edu. (46) 12:10:04.122440 IP 10.x.x.40.56739 > my.qry.DNS.svr.domain: 21820+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.122953 IP 10.x.x.40.37289 > my.qry.DNS.svr.domain: 2923+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.123676 IP 10.x.x.40.59976 > my.qry.DNS.svr.domain: 7025+ A? bro04.....cornell.edu. (46) 12:10:04.123694 IP 10.x.x.40.59976 > my.qry.DNS.svr.domain: 52653+ AAAA? bro04.....cornell.edu. (46) 12:10:04.123912 IP 10.x.x.40.34048 > my.qry.DNS.svr.domain: 23968+ A? bro04.....cornell.edu. (46) 12:10:04.123925 IP 10.x.x.40.34048 > my.qry.DNS.svr.domain: 51165+ AAAA? bro04.....cornell.edu. (46) 12:10:04.124400 IP 10.x.x.40.34483 > my.qry.DNS.svr.domain: 903+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.124936 IP 10.x.x.40.37156 > my.qry.DNS.svr.domain: 31159+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.125403 IP 10.x.x.40.45555 > my.qry.DNS.svr.domain: 28068+ A? bro04.....cornell.edu. (46) 12:10:04.125419 IP 10.x.x.40.45555 > my.qry.DNS.svr.domain: 46025+ AAAA? bro04.....cornell.edu. (46) 12:10:04.125882 IP 10.x.x.40.52084 > my.qry.DNS.svr.domain: 7093+ A? bro04.....cornell.edu. (46) 12:10:04.125894 IP 10.x.x.40.52084 > my.qry.DNS.svr.domain: 58810+ AAAA? bro04.....cornell.edu. (46) 12:10:04.126126 IP 10.x.x.40.42192 > my.qry.DNS.svr.domain: 44304+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.126623 IP 10.x.x.40.40271 > my.qry.DNS.svr.domain: 32647+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.127602 IP 10.x.x.40.48241 > my.qry.DNS.svr.domain: 20381+ A? bro04.....cornell.edu. (46) 12:10:04.127625 IP 10.x.x.40.48241 > my.qry.DNS.svr.domain: 23863+ AAAA? bro04.....cornell.edu. (46) 12:10:04.128345 IP 10.x.x.40.39458 > my.qry.DNS.svr.domain: 25568+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.132265 IP 10.x.x.51.41883 > my.qry.DNS.svr.domain: 14183+ A? bromgr.....cornell.edu. (47) 12:10:04.132281 IP 10.x.x.51.41883 > my.qry.DNS.svr.domain: 26943+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.133512 IP 10.x.x.51.44301 > my.qry.DNS.svr.domain: 52903+ A? bromgr.....cornell.edu. (47) 12:10:04.133530 IP 10.x.x.51.44301 > my.qry.DNS.svr.domain: 18329+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.133985 IP 10.x.x.51.36683 > my.qry.DNS.svr.domain: 7965+ A? bromgr.....cornell.edu. (47) 12:10:04.134003 IP 10.x.x.51.36683 > my.qry.DNS.svr.domain: 6405+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.135232 IP 10.x.x.51.57020 > my.qry.DNS.svr.domain: 10141+ A? bromgr.....cornell.edu. (47) 12:10:04.135249 IP 10.x.x.51.57020 > my.qry.DNS.svr.domain: 25516+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.135265 IP 10.x.x.51.47474 > my.qry.DNS.svr.domain: 4615+ A? bromgr.....cornell.edu. (47) 12:10:04.135276 IP 10.x.x.51.47474 > my.qry.DNS.svr.domain: 65298+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.136439 IP 10.x.x.51.45064 > my.qry.DNS.svr.domain: 56388+ A? bromgr.....cornell.edu. (47) 12:10:04.136461 IP 10.x.x.51.45064 > my.qry.DNS.svr.domain: 21990+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.137416 IP 10.x.x.51.58820 > my.qry.DNS.svr.domain: 62042+ A? bromgr.....cornell.edu. (47) 12:10:04.137432 IP 10.x.x.51.58820 > my.qry.DNS.svr.domain: 55753+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.138650 IP 10.x.x.51.51767 > my.qry.DNS.svr.domain: 44833+ A? bromgr.....cornell.edu. (47) 12:10:04.138663 IP 10.x.x.51.51767 > my.qry.DNS.svr.domain: 6522+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.139148 IP 10.x.x.51.45866 > my.qry.DNS.svr.domain: 52273+ A? bromgr.....cornell.edu. (47) 12:10:04.139166 IP 10.x.x.51.45866 > my.qry.DNS.svr.domain: 35166+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.140162 IP 10.x.x.51.57944 > my.qry.DNS.svr.domain: 47809+ A? bromgr.....cornell.edu. (47) 12:10:04.140189 IP 10.x.x.51.34437 > my.qry.DNS.svr.domain: 21203+ A? bromgr.....cornell.edu. (47) 12:10:04.140195 IP 10.x.x.51.57944 > my.qry.DNS.svr.domain: 15153+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.140200 IP 10.x.x.51.34437 > my.qry.DNS.svr.domain: 40908+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.140854 IP 10.x.x.51.57101 > my.qry.DNS.svr.domain: 14536+ A? bromgr.....cornell.edu. (47) 12:10:04.140873 IP 10.x.x.51.57101 > my.qry.DNS.svr.domain: 29133+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.144307 IP 10.x.x.51.47688 > my.qry.DNS.svr.domain: 8758+ A? bromgr.....cornell.edu. (47) 12:10:04.144323 IP 10.x.x.51.47688 > my.qry.DNS.svr.domain: 41898+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.145300 IP 10.x.x.51.50074 > my.qry.DNS.svr.domain: 61626+ A? bromgr.....cornell.edu. (47) 12:10:04.145313 IP 10.x.x.51.50074 > my.qry.DNS.svr.domain: 4563+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.146761 IP 10.x.x.51.42807 > my.qry.DNS.svr.domain: 16083+ A? bromgr.....cornell.edu. (47) 12:10:04.146772 IP 10.x.x.51.42807 > my.qry.DNS.svr.domain: 60381+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.147509 IP 10.x.x.51.41479 > my.qry.DNS.svr.domain: 230+ A? bromgr.....cornell.edu. (47) 12:10:04.147521 IP 10.x.x.51.41479 > my.qry.DNS.svr.domain: 54775+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.150212 IP 10.x.x.40.53101 > my.qry.DNS.svr.domain: 31351+ A? bro04.....cornell.edu. (46) 12:10:04.150228 IP 10.x.x.40.53101 > my.qry.DNS.svr.domain: 21209+ AAAA? bro04.....cornell.edu. (46) 12:10:04.151200 IP 10.x.x.40.53363 > my.qry.DNS.svr.domain: 38467+ A? bro04.....cornell.edu. (46) 12:10:04.151216 IP 10.x.x.40.53363 > my.qry.DNS.svr.domain: 3442+ AAAA? bro04.....cornell.edu. (46) 12:10:04.157828 IP 10.x.x.51.37895 > my.qry.DNS.svr.domain: 34382+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.158799 IP 10.x.x.51.58975 > my.qry.DNS.svr.domain: 65417+ A? bromgr.....cornell.edu. (47) 12:10:04.158816 IP 10.x.x.51.57102 > my.qry.DNS.svr.domain: 28295+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.159783 IP 10.x.x.51.57998 > my.qry.DNS.svr.domain: 24415+ A? bromgr.....cornell.edu. (47) 12:10:04.205752 IP 10.x.x.51.60445 > my.qry.DNS.svr.domain: 55155+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.205776 IP 10.x.x.51.48834 > my.qry.DNS.svr.domain: 16798+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.206971 IP 10.x.x.51.37952 > my.qry.DNS.svr.domain: 7451+ A? bromgr.....cornell.edu. (47) 12:10:04.206991 IP 10.x.x.51.36537 > my.qry.DNS.svr.domain: 63813+ A? bromgr.....cornell.edu. (47) 12:10:04.208452 IP 10.x.x.40.51028 > my.qry.DNS.svr.domain: 48997+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.208466 IP 10.x.x.40.45656 > my.qry.DNS.svr.domain: 2912+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.209184 IP 10.x.x.40.46642 > my.qry.DNS.svr.domain: 52882+ A? bro04.....cornell.edu. (46) 12:10:04.209428 IP 10.x.x.40.52806 > my.qry.DNS.svr.domain: 27346+ A? bro04.....cornell.edu. (46) 12:10:04.210423 IP 10.x.x.40.35585 > my.qry.DNS.svr.domain: 14749+ A? bro04.....cornell.edu. (46) 12:10:04.210440 IP 10.x.x.40.43335 > my.qry.DNS.svr.domain: 55793+ A? bro04.....cornell.edu. (46) 12:10:04.210447 IP 10.x.x.40.35585 > my.qry.DNS.svr.domain: 23665+ AAAA? bro04.....cornell.edu. (46) 12:10:04.210452 IP 10.x.x.40.43335 > my.qry.DNS.svr.domain: 7260+ AAAA? bro04.....cornell.edu. (46) 12:10:04.211160 IP 10.x.x.40.56030 > my.qry.DNS.svr.domain: 6148+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.211395 IP 10.x.x.40.39057 > my.qry.DNS.svr.domain: 62611+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.212389 IP 10.x.x.40.36331 > my.qry.DNS.svr.domain: 44249+ A? bro04.....cornell.edu. (46) 12:10:04.212406 IP 10.x.x.40.36331 > my.qry.DNS.svr.domain: 4282+ AAAA? bro04.....cornell.edu. (46) 12:10:04.212643 IP 10.x.x.40.56541 > my.qry.DNS.svr.domain: 40115+ A? bro04.....cornell.edu. (46) 12:10:04.212659 IP 10.x.x.40.56541 > my.qry.DNS.svr.domain: 23772+ AAAA? bro04.....cornell.edu. (46) 12:10:04.213116 IP 10.x.x.40.53192 > my.qry.DNS.svr.domain: 54422+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.213395 IP 10.x.x.40.45438 > my.qry.DNS.svr.domain: 84+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.214125 IP 10.x.x.40.54944 > my.qry.DNS.svr.domain: 14372+ A? bro04.....cornell.edu. (46) 12:10:04.214142 IP 10.x.x.40.54944 > my.qry.DNS.svr.domain: 12476+ AAAA? bro04.....cornell.edu. (46) 12:10:04.214358 IP 10.x.x.40.57086 > my.qry.DNS.svr.domain: 55480+ A? bro04.....cornell.edu. (46) 12:10:04.214376 IP 10.x.x.40.57086 > my.qry.DNS.svr.domain: 34853+ AAAA? bro04.....cornell.edu. (46) 12:10:04.214850 IP 10.x.x.40.45328 > my.qry.DNS.svr.domain: 53928+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.215093 IP 10.x.x.40.43145 > my.qry.DNS.svr.domain: 23046+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.216078 IP 10.x.x.40.33523 > my.qry.DNS.svr.domain: 60722+ A? bro04.....cornell.edu. (46) 12:10:04.216093 IP 10.x.x.40.33523 > my.qry.DNS.svr.domain: 33990+ AAAA? bro04.....cornell.edu. (46) 12:10:04.216103 IP 10.x.x.40.54849 > my.qry.DNS.svr.domain: 2361+ A? bro04.....cornell.edu. (46) 12:10:04.216112 IP 10.x.x.40.54849 > my.qry.DNS.svr.domain: 27763+ AAAA? bro04.....cornell.edu. (46) 12:10:04.217052 IP 10.x.x.40.35482 > my.qry.DNS.svr.domain: 48973+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.217068 IP 10.x.x.40.36031 > my.qry.DNS.svr.domain: 15250+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.223440 IP 10.x.x.51.44918 > my.qry.DNS.svr.domain: 22163+ A? bromgr.....cornell.edu. (47) 12:10:04.223463 IP 10.x.x.51.44918 > my.qry.DNS.svr.domain: 19451+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.223692 IP 10.x.x.51.42980 > my.qry.DNS.svr.domain: 17793+ A? bromgr.....cornell.edu. (47) 12:10:04.223709 IP 10.x.x.51.42980 > my.qry.DNS.svr.domain: 33269+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.225410 IP 10.x.x.51.54356 > my.qry.DNS.svr.domain: 45755+ A? bromgr.....cornell.edu. (47) 12:10:04.225416 IP 10.x.x.51.41658 > my.qry.DNS.svr.domain: 36844+ A? bromgr.....cornell.edu. (47) 12:10:04.225421 IP 10.x.x.51.54356 > my.qry.DNS.svr.domain: 29581+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.225426 IP 10.x.x.51.41658 > my.qry.DNS.svr.domain: 14311+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.226650 IP 10.x.x.51.50207 > my.qry.DNS.svr.domain: 18636+ A? bromgr.....cornell.edu. (47) 12:10:04.226677 IP 10.x.x.51.50207 > my.qry.DNS.svr.domain: 35260+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.226690 IP 10.x.x.51.56800 > my.qry.DNS.svr.domain: 28709+ A? bromgr.....cornell.edu. (47) 12:10:04.226702 IP 10.x.x.51.56800 > my.qry.DNS.svr.domain: 53703+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.228850 IP 10.x.x.51.33731 > my.qry.DNS.svr.domain: 24594+ A? bromgr.....cornell.edu. (47) 12:10:04.228860 IP 10.x.x.51.33731 > my.qry.DNS.svr.domain: 42154+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.229082 IP 10.x.x.51.60308 > my.qry.DNS.svr.domain: 32098+ A? bromgr.....cornell.edu. (47) 12:10:04.229098 IP 10.x.x.51.60308 > my.qry.DNS.svr.domain: 37678+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.230071 IP 10.x.x.51.48903 > my.qry.DNS.svr.domain: 37555+ A? bromgr.....cornell.edu. (47) 12:10:04.230089 IP 10.x.x.51.48903 > my.qry.DNS.svr.domain: 43961+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.230319 IP 10.x.x.51.46827 > my.qry.DNS.svr.domain: 39608+ A? bromgr.....cornell.edu. (47) 12:10:04.230335 IP 10.x.x.51.46827 > my.qry.DNS.svr.domain: 31671+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.231306 IP 10.x.x.51.34562 > my.qry.DNS.svr.domain: 19246+ A? bromgr.....cornell.edu. (47) 12:10:04.231324 IP 10.x.x.51.38715 > my.qry.DNS.svr.domain: 9266+ A? bromgr.....cornell.edu. (47) 12:10:04.231330 IP 10.x.x.51.34562 > my.qry.DNS.svr.domain: 31415+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.231335 IP 10.x.x.51.38715 > my.qry.DNS.svr.domain: 35252+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.235234 IP 10.x.x.51.58237 > my.qry.DNS.svr.domain: 4769+ A? bromgr.....cornell.edu. (47) 12:10:04.235250 IP 10.x.x.51.58237 > my.qry.DNS.svr.domain: 41624+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.235974 IP 10.x.x.51.36693 > my.qry.DNS.svr.domain: 9070+ A? bromgr.....cornell.edu. (47) 12:10:04.235994 IP 10.x.x.51.36693 > my.qry.DNS.svr.domain: 27728+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.237203 IP 10.x.x.51.45121 > my.qry.DNS.svr.domain: 8629+ A? bromgr.....cornell.edu. (47) 12:10:04.237220 IP 10.x.x.51.45121 > my.qry.DNS.svr.domain: 55843+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.237955 IP 10.x.x.51.41589 > my.qry.DNS.svr.domain: 5916+ A? bromgr.....cornell.edu. (47) 12:10:04.237973 IP 10.x.x.51.41589 > my.qry.DNS.svr.domain: 61467+ AAAA? bromgr.....cornell.edu. (47) 12:10:04.240900 IP 10.x.x.40.35916 > my.qry.DNS.svr.domain: 53389+ A? bro04.....cornell.edu. (46) 12:10:04.240916 IP 10.x.x.40.35916 > my.qry.DNS.svr.domain: 62470+ AAAA? bro04.....cornell.edu. (46) 12:10:04.241882 IP 10.x.x.40.47152 > my.qry.DNS.svr.domain: 20038+ A? bro04.....cornell.edu. (46) 12:10:04.241899 IP 10.x.x.40.47152 > my.qry.DNS.svr.domain: 27512+ AAAA? bro04.....cornell.edu. (46) 12:10:04.249740 IP 10.x.x.51.43380 > my.qry.DNS.svr.domain: 61461+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.250956 IP 10.x.x.51.53402 > my.qry.DNS.svr.domain: 41218+ A? bromgr.....cornell.edu. (47) 12:10:04.252677 IP 10.x.x.51.57025 > my.qry.DNS.svr.domain: 47045+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.253906 IP 10.x.x.51.40224 > my.qry.DNS.svr.domain: 54420+ A? bromgr.....cornell.edu. (47) 12:10:04.301835 IP 10.x.x.51.36383 > my.qry.DNS.svr.domain: 31432+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.302824 IP 10.x.x.51.52136 > my.qry.DNS.svr.domain: 28530+ A? bromgr.....cornell.edu. (47) 12:10:04.304041 IP 10.x.x.51.59352 > my.qry.DNS.svr.domain: 40763+ PTR? 40.x.x.10.in-addr.arpa. (43) 12:10:04.304067 IP 10.x.x.40.43547 > my.qry.DNS.svr.domain: 15007+ PTR? 51.x.x.10.in-addr.arpa. (43) 12:10:04.304779 IP 10.x.x.51.43753 > my.qry.DNS.svr.domain: 14050+ A? bromgr.....cornell.edu. (47) From jazoff at illinois.edu Sat Sep 3 09:00:25 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Sat, 3 Sep 2016 16:00:25 +0000 Subject: [Bro] "broctl cron" running every 5 mins, and side effects In-Reply-To: References: Message-ID: <1F5FE9FA-0F05-4D2B-9285-8377176347FD@illinois.edu> > On Sep 2, 2016, at 9:35 AM, Glenn Forbes Fleming Larratt wrote: > > Can anyone comment on what "broctl cron" is actually doing? > > My DNS admin reported to me that, at 5-minute intervals, my six bro hosts > (1x manager+proxy, 5 workers) are spewing DNS queries in the thousands, > all forward and reverse lookups of themselves and each other (sample > appended). It *seems* to be correlated in time with the running of "broctl > cron". > broctl cron primarily checks up on the workers via ssh. Are you using a bro version earlier than 2.4 ? 2.4 will make one connection per worker box, before that it made one connection for each worker process. What you are seeing looks like bro < 2.4 plus ssh having UseDns or VerifyReverseMapping enabled. It's also interesting that bro01 is not one of the names in the output, and bro05 appears 5% as often as 2,3,4 are. In general you should be running a local caching resolver (unbound,dnsmasq,etc). Things run better across the board when you are caching dns responses locally and not going out to the network for every lookup. -- - Justin Azoff From sebclaut at gmail.com Tue Sep 6 06:44:32 2016 From: sebclaut at gmail.com (clautos) Date: Tue, 6 Sep 2016 15:44:32 +0200 Subject: [Bro] loading modules and automatically using custom scripts Message-ID: Hello, I have 2 questions: 1) how to load custom scripts in the core of Bro ? 2) is the extract files script different because it's not in the "policy" folder ? I'm trying to understand how Bro custom scripts work. As far as I understand, custom scripts are supposed to go in the "policy" section,and then are called from the local.bro script. To test this behavior I created a script that flags every DNS query. It just generates a notice and logs it. I run bro on my nslookups pcap (specifying the dns logger script in the command line) and it works, but when I add : @load dummy/dummy-dns to local.bro and just run bro without specifying the additional file I see no notice.log file. (my script is in the folder /opt/bro/share/bro/policy/dummy that I created for the occasion) Then my problem is with extracting files, my local.bro contains: @load file-extraction/extract (in the folder /opt/bro/share/bro) and it doesn't extract files if I just run bro without specifying the script in the command line. broctl scripts shows my scripts so I thought they were used now by the bro instance but nothing. It doesn't log the files I download, it doesn't notice me when I do a DNS query. How to do that in Bro and use custom script by default for all the incoming traffic ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160906/7affd1c2/attachment.html From seth at icir.org Tue Sep 6 07:31:18 2016 From: seth at icir.org (Seth Hall) Date: Tue, 6 Sep 2016 10:31:18 -0400 Subject: [Bro] Bro connections v. NetFlow In-Reply-To: <8cc4de3fac7bc6a73f568a862218ab43@localhost> References: <8350146BADDCE04480B969B36967473D13F090CB@ZEUS.olympus.dataline.co.uk> <8cc4de3fac7bc6a73f568a862218ab43@localhost> Message-ID: <00D8E5E2-68FC-499D-A381-0BADF13FE961@icir.org> > On Sep 2, 2016, at 6:57 PM, James Lay wrote: > > const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs, > 3days) &redef; > > I'd like to see an example of redefing this to a different time. redef LongConnection::default_durations = LongConnection::Durations(30sec, 1min, 1hr, 10hrs, 1day); > Also, a whitelist of IP's not to be included would be next. I have a lot of > use cases...truth be told I'm "kind of" doing something similar with > grep/sed/awk and the current conn_log for tracking "unusual" long > sessions. Except that you unfortunately aren't seeing connections "live" before the connection has completed. > For example, a netblock, say 172.16.1.0/24 is dedicated to > VPN connections, which I expect to be longer as they are a constant > session, so i'd want to ignore those in my conn_long file. Ah, interesting point. It sort of sounds like you're starting to use the log for detection with this change though. Are you sure you want to do that? Would it make more sense if we added some other behavior that actually detected something that you're interested in? Alternately you could use a logging filter that filters out connections involving the hosts on your VPN. Here's one you can start with.... const ignore_for_long_connections: set[subnet] &redef; event bro_init() { local filt = Log::get_filter(LongConnection::LOG, "default"); filt$pred = function(rec: Conn::Info): bool { return rec$id$orig_h !in ignore_for_long_connections && rec$id$resp_h !in ignore_for_long_connections; }; Log::add_filter(LongConnection::LOG, filt); } .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jlay at slave-tothe-box.net Tue Sep 6 08:23:07 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 06 Sep 2016 09:23:07 -0600 Subject: [Bro] Bro connections v. NetFlow In-Reply-To: <00D8E5E2-68FC-499D-A381-0BADF13FE961@icir.org> References: <8350146BADDCE04480B969B36967473D13F090CB@ZEUS.olympus.dataline.co.uk> <8cc4de3fac7bc6a73f568a862218ab43@localhost> <00D8E5E2-68FC-499D-A381-0BADF13FE961@icir.org> Message-ID: <3710897efb39428ceb55fc78b6b74617@localhost> On 2016-09-06 08:31, Seth Hall wrote: >> On Sep 2, 2016, at 6:57 PM, James Lay >> wrote: >> >> const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs, >> 3days) &redef; >> >> I'd like to see an example of redefing this to a different time. > > redef LongConnection::default_durations = > LongConnection::Durations(30sec, 1min, 1hr, 10hrs, 1day); > >> Also, a whitelist of IP's not to be included would be next. I have a >> lot of >> use cases...truth be told I'm "kind of" doing something similar with >> grep/sed/awk and the current conn_log for tracking "unusual" long >> sessions. > > Except that you unfortunately aren't seeing connections "live" before > the connection has completed. > >> For example, a netblock, say 172.16.1.0/24 is dedicated to >> VPN connections, which I expect to be longer as they are a constant >> session, so i'd want to ignore those in my conn_long file. > > Ah, interesting point. It sort of sounds like you're starting to use > the log for detection with this change though. Are you sure you want > to do that? Would it make more sense if we added some other behavior > that actually detected something that you're interested in? > Alternately you could use a logging filter that filters out > connections involving the hosts on your VPN. Here's one you can start > with.... > > const ignore_for_long_connections: set[subnet] &redef; > event bro_init() > { > local filt = Log::get_filter(LongConnection::LOG, "default"); > filt$pred = function(rec: Conn::Info): bool > { > return rec$id$orig_h !in ignore_for_long_connections && > rec$id$resp_h !in ignore_for_long_connections; > }; > Log::add_filter(LongConnection::LOG, filt); > } > > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ Ah there you go...yea a logging filter would be best...I'll give that a whirl in my test environment. And in this case I'm really interested in sessions that are over a certain time, possibly over longer than a day, and at a very small throughput (can you say data exfiltration?). So I have a subset of internal IP's that are known to have long sessions..anything else I wanna see. Thanks again Seth! James From newfire.bw at gmail.com Wed Sep 7 06:44:19 2016 From: newfire.bw at gmail.com (Bowen Li) Date: Wed, 7 Sep 2016 21:44:19 +0800 Subject: [Bro] cluster manager crash Message-ID: Hi all, I have an issue about cluster manager crash when lots of log event send to it. I set up a bro cluster on my server, the cluster have 32 workers and 1 proxy and handle about 5Gb/s. After run about one and a half hour, the cluster no longer produces logs, but workers still extracts files. So it seems that the manager was crashed. Is there any possibility that the manager doesn't work anymore when workers send lots of log event? If so, what`s the limit of the log event? Or maybe the issue won`t happen if I run a real cluster on several servers? By the way, if I want to handle 10Gb/s, how much memory should I leave for each worker ? If I do memory usage restrictions, will it affect the performance of the cluster? Any insight would be helpful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160907/64f84924/attachment.html From brot212 at googlemail.com Wed Sep 7 08:55:22 2016 From: brot212 at googlemail.com (Dane Wullen) Date: Wed, 7 Sep 2016 17:55:22 +0200 Subject: [Bro] IDE/Editor for Bro Message-ID: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> Hi there, I've looked through the mailing list archive but couldn't find a thread for this. I want to write Bro-Scripts, is there any good IDE / Editor which you could recomend me? Maybe some IDE with syntax highlighting or even a kind of Intellisense (I've written some Java and C++ programs and I liked working with features like this... :-) ) Thank you! From bmixonb1 at cs.unm.edu Wed Sep 7 09:03:18 2016 From: bmixonb1 at cs.unm.edu (Ben Mixon-Baca) Date: Wed, 7 Sep 2016 10:03:18 -0600 Subject: [Bro] IDE/Editor for Bro In-Reply-To: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> Message-ID: I use emacs and installed bro-mode from github here: https://github.com/srunnels/bro-mode It seems to do an OK job on handling Bro syntax. On 09/07/2016 09:55 AM, Dane Wullen wrote: > Hi there, > > I've looked through the mailing list archive but couldn't find a thread > for this. > > I want to write Bro-Scripts, is there any good IDE / Editor which you > could recomend me? Maybe some IDE with syntax highlighting or even a > kind of Intellisense (I've written some Java and C++ programs and I > liked working with features like this... :-) ) > > Thank you! > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160907/c0958a06/attachment.bin From dhoelzer at enclaveforensics.com Wed Sep 7 09:14:48 2016 From: dhoelzer at enclaveforensics.com (=?UTF-8?Q?David_Hoelzer?=) Date: Wed, 7 Sep 2016 16:14:48 +0000 Subject: [Bro] IDE/Editor for Bro In-Reply-To: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> Message-ID: <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> Someone has also published a Sublime markup addon for Bro. I can't remember who... -----Original Message----- From: [mailto:bro-bounces at bro.org] On Behalf Of Dane Wullen Sent: Wednesday, September 7, 2016 11:55 AM To: bro at bro.org Subject: [Bro] IDE/Editor for Bro Hi there, I've looked through the mailing list archive but couldn't find a thread for this. I want to write Bro-Scripts, is there any good IDE / Editor which you could recomend me? Maybe some IDE with syntax highlighting or even a kind of Intellisense (I've written some Java and C++ programs and I liked working with features like this... :-) ) Thank you! _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jan.grashoefer at gmail.com Wed Sep 7 09:38:26 2016 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Wed, 7 Sep 2016 18:38:26 +0200 Subject: [Bro] IDE/Editor for Bro In-Reply-To: <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> Message-ID: <05b0ace2-7a25-af38-80e6-1c75484e6d28@gmail.com> > Someone has also published a Sublime markup addon for Bro. I can't remember who... There is a syntax highlighting definition for sublime and vim: https://github.com/bro/bro-sublime https://github.com/mephux/bro.vim And there has been a discussion on the list: http://mailman.icsi.berkeley.edu/pipermail/bro/2013-April/005663.html Best regards, Jan From dopheide at gmail.com Wed Sep 7 09:38:53 2016 From: dopheide at gmail.com (Mike Dopheide) Date: Wed, 7 Sep 2016 11:38:53 -0500 Subject: [Bro] IDE/Editor for Bro In-Reply-To: <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> Message-ID: I think originally it was Liam, but it looks like it may have had some updates since then and got pulled into the main repo?: https://github.com/bro/bro-sublime -Dop On Wed, Sep 7, 2016 at 11:14 AM, David Hoelzer < dhoelzer at enclaveforensics.com> wrote: > Someone has also published a Sublime markup addon for Bro. I can't > remember who... > > -----Original Message----- > From: [mailto:bro-bounces at bro.org] On Behalf Of Dane Wullen > Sent: Wednesday, September 7, 2016 11:55 AM > To: bro at bro.org > Subject: [Bro] IDE/Editor for Bro > > Hi there, > > I've looked through the mailing list archive but couldn't find a thread > for this. > > I want to write Bro-Scripts, is there any good IDE / Editor which you > could recomend me? Maybe some IDE with syntax highlighting or even a kind > of Intellisense (I've written some Java and C++ programs and I liked > working with features like this... :-) ) > > Thank you! > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160907/06edd86a/attachment.html From seth at icir.org Wed Sep 7 12:32:59 2016 From: seth at icir.org (Seth Hall) Date: Wed, 7 Sep 2016 15:32:59 -0400 Subject: [Bro] IDE/Editor for Bro In-Reply-To: References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> Message-ID: <8681F2B5-3D54-42D6-A78E-360FDED4038B@icir.org> > On Sep 7, 2016, at 12:38 PM, Mike Dopheide wrote: > > I think originally it was Liam, but it looks like it may have had some updates since then and got pulled into the main repo?: > > https://github.com/bro/bro-sublime That was created by a former intern at ICSI (Christian Struck) and then little updates by me. That's also the repository that github uses for syntax highlighting fwiw. If anyone finds any highlighting issues it would be great to get patches into that repo to generally improve Bro syntax highlighting on github (and in my editor!). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Sep 7 12:43:04 2016 From: seth at icir.org (Seth Hall) Date: Wed, 7 Sep 2016 15:43:04 -0400 Subject: [Bro] High orig_bytes value In-Reply-To: References: Message-ID: <378371F2-AABC-407A-903D-B64B9F55233B@icir.org> > On Aug 29, 2016, at 1:01 PM, Danilo Nicol? wrote: > > I'm testing Bro 2.5 beta with netmap, and I noticed this row: > > {"ts":1472467151.681244,"uid":"CgoIaB3GxSCIEgWea7","id.orig_h":"192.168.181.107","id.orig_p":11328,"id.resp_h":"172.16.1.60","id.resp_p":9997,"proto":"tcp","duration":0.362595,"orig_bytes":4294967296,"resp_bytes":4294967296,"conn_state":"SF","local_resp":true,"missed_bytes":1168863602,"history":"ShAFFff","orig_pkts":7,"orig_ip_bytes":292,"resp_pkts":4,"resp_ip_bytes":184,"tunnel_parents":[],"local_origi":"T4","local_respo":"T4"} Unfortunately you haven't given enough information to debug this problem. I haven't heard of a problem like this with netmap. Although, I can say that it would possible to cause a Bro log to look like that if two systems on the network were out to mess with you. Those large numbers are calculated by doing tcp sequence ID tracking. If you look at the orig_ip_bytes and resp_ip_bytes fields, you can see those are much smaller because they are actually calculated from the byte size of packets seen. Are you seeing this regularly, or was this a one-off? Are you running packet-bricks or lb on top of netmap or do you have Bro connecting to a netmap interface directly? Are you using the netmap libpcap wrappers or are you using the netmap plugin? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From hckim at narusec.com Wed Sep 7 18:00:27 2016 From: hckim at narusec.com (=?UTF-8?B?6rmA7Z2s7LKg?=) Date: Thu, 8 Sep 2016 10:00:27 +0900 Subject: [Bro] loading modules and automatically using custom scripts (clautos) Message-ID: 1) how to load custom scripts in the core of Bro ? custom script are saved in ~prefix-DIR/share/bro/site if you upgrading a bro, it won't be deleted https://www.bro.org/sphinx/quickstart/#deployment-customization 2) is the extract files script different because it's not in the "policy" folder ? for file extraction I used https://github.com/hosom/bro-file-extraction -- ------------------------------------------------------ Hichul Kim ??? ?? ??? Naru Security (?)?????? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160908/080313af/attachment.html From derek.ditch at criticalstack.com Wed Sep 7 19:26:13 2016 From: derek.ditch at criticalstack.com (Ditch, Derek) Date: Thu, 8 Sep 2016 02:26:13 +0000 Subject: [Bro] IDE/Editor for Bro In-Reply-To: <05b0ace2-7a25-af38-80e6-1c75484e6d28@gmail.com> References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> <05b0ace2-7a25-af38-80e6-1c75484e6d28@gmail.com> Message-ID: I?d add that Atom also has a Bro language definition that was converted from Seth?s TextMate bundle: https://atom.io/packages/language-bro -- Derek Ditch derek.ditch at criticalstack.com Security Eng & App Security Critical Stack, a member of Capital One ________________________________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. From dani.nicolo at gmail.com Thu Sep 8 01:57:05 2016 From: dani.nicolo at gmail.com (=?UTF-8?Q?Danilo_Nicol=C3=B2?=) Date: Thu, 8 Sep 2016 10:57:05 +0200 Subject: [Bro] High orig_bytes value In-Reply-To: <378371F2-AABC-407A-903D-B64B9F55233B@icir.org> References: <378371F2-AABC-407A-903D-B64B9F55233B@icir.org> Message-ID: Hello, Sorry for short information. I?m using Packet-bricks + Bro (2.5) + Netmap (plugin) Yesterday I removed Packet-bricks from the chain and the problem was solved. So in some way packet-bricks will cause that problem in my network (regurarly). I was using git version of packet-bricks in this way: Eth0 --\ Eth1 ------ Merge -> Slot -> LoadBalance ----- Slot -> Bro worker #1 Eth2 ---/ \--- Slot -> Bro worker #2 Eth3 --/ Should I take the orig_ip_bytes instead of orig_bytes to have more reliability? Thanks for your suggestions 2016-09-07 21:43 GMT+02:00 Seth Hall : > > > On Aug 29, 2016, at 1:01 PM, Danilo Nicol? > wrote: > > > > I'm testing Bro 2.5 beta with netmap, and I noticed this row: > > > > {"ts":1472467151.681244,"uid":"CgoIaB3GxSCIEgWea7","id.orig_ > h":"192.168.181.107","id.orig_p":11328,"id.resp_h":"172.16. > 1.60","id.resp_p":9997,"proto":"tcp","duration":0.362595," > orig_bytes":4294967296,"resp_bytes":4294967296,"conn_state" > :"SF","local_resp":true,"missed_bytes":1168863602," > history":"ShAFFff","orig_pkts":7,"orig_ip_bytes":292,"resp_ > pkts":4,"resp_ip_bytes":184,"tunnel_parents":[],"local_ > origi":"T4","local_respo":"T4"} > > Unfortunately you haven't given enough information to debug this problem. > I haven't heard of a problem like this with netmap. > > Although, I can say that it would possible to cause a Bro log to look like > that if two systems on the network were out to mess with you. Those large > numbers are calculated by doing tcp sequence ID tracking. If you look at > the orig_ip_bytes and resp_ip_bytes fields, you can see those are much > smaller because they are actually calculated from the byte size of packets > seen. > > Are you seeing this regularly, or was this a one-off? Are you running > packet-bricks or lb on top of netmap or do you have Bro connecting to a > netmap interface directly? Are you using the netmap libpcap wrappers or > are you using the netmap plugin? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160908/2cf0361f/attachment.html From sebclaut at gmail.com Thu Sep 8 02:49:54 2016 From: sebclaut at gmail.com (clautos) Date: Thu, 8 Sep 2016 11:49:54 +0200 Subject: [Bro] loading modules and automatically using custom scripts (clautos) In-Reply-To: References: Message-ID: Ok thanks for the update. I have tested the two following modules to extract files (the pathes are the ones I have with SecurityOnion) : - /opt/bro/share/bro/file-extraction/extract.bro that gives me files in the /nsm/bro/extracted folder - /opt/bro/share/bro/policy/frameworks/files/extract-all-files.bro (and the md5sum is generated in my files.log) that saves me files in the /nsm/bro/spool/test-seconion-eth0-1/extract_files folder. I encounter a very problematic issue: When I download the winrar installer (.exe) I get it correctly extracted (md5sums match) in both output folders (via HTTP) When I download Firefox installer (.exe) I get nothing (it's via HTTPS so I suppose it's the reason why) When I download audacity (.exe) through HTTP, I get an inccorect .exe file. The original file has a size of 26.5 MB and what I collect in my "extract_files" folder has a size of 1.4 kB. Obviously the md5sums mismatch. For the moment I can't trust what I get with Bro since the md5 mismatch, if I download a malware how can I be sure that I'll get it and be able to submit it to VT for an accurate analysis ? ps: I'll try the scripts you sent me and hope the files will be extracted correctly 2016-09-08 3:00 GMT+02:00 ??? : > 1) how to load custom scripts in the core of Bro ? > > custom script are saved in ~prefix-DIR/share/bro/site > if you upgrading a bro, it won't be deleted > > https://www.bro.org/sphinx/quickstart/#deployment-customization > > 2) is the extract files script different because it's not in the "policy" > folder ? > > for file extraction I used > https://github.com/hosom/bro-file-extraction > > > > -- > ------------------------------------------------------ > Hichul Kim ??? ?? ??? > > Naru Security (?)?????? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160908/859eaeb8/attachment-0001.html From seth at icir.org Thu Sep 8 06:49:23 2016 From: seth at icir.org (Seth Hall) Date: Thu, 8 Sep 2016 09:49:23 -0400 Subject: [Bro] High orig_bytes value In-Reply-To: References: <378371F2-AABC-407A-903D-B64B9F55233B@icir.org> Message-ID: > On Sep 8, 2016, at 4:57 AM, Danilo Nicol? wrote: > > Sorry for short information. > I?m using Packet-bricks + Bro (2.5) + Netmap (plugin) Thanks for the explanation of what you're doing, that's helpful. > Yesterday I removed Packet-bricks from the chain and the problem was solved. That's good to know. > Eth0 --\ > > Eth1 ------ Merge -> Slot -> LoadBalance ----- Slot -> Bro worker #1 > > Eth2 ---/ \--- Slot -> Bro worker #2 > > Eth3 --/ Have you tried just sniffing a single interface and doing load balancing? Could you send the script you're running in packet-bricks? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Thu Sep 8 07:05:11 2016 From: seth at icir.org (Seth Hall) Date: Thu, 8 Sep 2016 10:05:11 -0400 Subject: [Bro] loading modules and automatically using custom scripts (clautos) In-Reply-To: References: Message-ID: > On Sep 8, 2016, at 5:49 AM, clautos wrote: > > When I download audacity (.exe) through HTTP, I get an inccorect .exe file. The original file has a size of 26.5 MB and what I collect in my "extract_files" folder has a size of 1.4 kB. Obviously the md5sums mismatch.  It's very possible that you encountered packet loss. You can either look at the "missed_bytes" field in conn.log or the "missing_bytes" field in the files.log. If either of those aren't zero, then you probably dropped packets. Damn, now that I look at those field names, we ended up naming them unfortunately different. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From pkelley at hyperionavenue.com Thu Sep 8 13:14:39 2016 From: pkelley at hyperionavenue.com (Patrick Kelley) Date: Thu, 8 Sep 2016 13:14:39 -0700 Subject: [Bro] IDE/Editor for Bro In-Reply-To: <8681F2B5-3D54-42D6-A78E-360FDED4038B@icir.org> References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> <8681F2B5-3D54-42D6-A78E-360FDED4038B@icir.org> Message-ID: Atom is pretty solid and has a bro recognition. Free doesn't hurt, either. On Wed, Sep 7, 2016 at 12:32 PM, Seth Hall wrote: > > > On Sep 7, 2016, at 12:38 PM, Mike Dopheide wrote: > > > > I think originally it was Liam, but it looks like it may have had some > updates since then and got pulled into the main repo?: > > > > https://github.com/bro/bro-sublime > > That was created by a former intern at ICSI (Christian Struck) and then > little updates by me. That's also the repository that github uses for > syntax highlighting fwiw. If anyone finds any highlighting issues it would > be great to get patches into that repo to generally improve Bro syntax > highlighting on github (and in my editor!). > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Patrick Kelley Hyperion Avenue Labs http://www.hyperionavenue.com 951.291.8310 *The limit to which you have accepted being comfortable is the limit to which you have grown. Accept new challenges as an opportunity to enrich yourself and not as a point of potential failure.* [image: hal_logo] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160908/c85dbcd3/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 12155 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160908/c85dbcd3/attachment.bin From jazoff at illinois.edu Thu Sep 8 18:35:26 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Fri, 9 Sep 2016 01:35:26 +0000 Subject: [Bro] IDE/Editor for Bro In-Reply-To: References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> <8681F2B5-3D54-42D6-A78E-360FDED4038B@icir.org> Message-ID: On Sep 8, 2016, at 4:14 PM, Patrick Kelley > wrote: Atom is pretty solid and has a bro recognition. Free doesn't hurt, either. Oh! Speaking of atom.. I had written a plugin for linter to parse the bro -a output... Apparently it was completely broken after not being updated for a year, but I just re-wrote it from scratch and published it to the atom package site: https://atom.io/packages/linter-bro With it installed atom will tell you when you save a bro script that has errors in it. Install linter and linter-bro through the GUI or just run "apm install linter linter-bro". [cid:2E0A1D47-34D4-438C-8DE1-77209E125D34 at home] -- - Justin Azoff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/28f485e5/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: atom bro linter.png Type: image/png Size: 53440 bytes Desc: atom bro linter.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/28f485e5/attachment-0001.bin From 478682649 at qq.com Fri Sep 9 02:12:44 2016 From: 478682649 at qq.com (=?gb18030?B?WFUgR3VvoaI=?=) Date: Fri, 9 Sep 2016 17:12:44 +0800 Subject: [Bro] proxy and worker Message-ID: Hi all, I have an issue about proxy and worker.Here is my cluster configuration: [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=ens512f1 lb_method=pf_ring lb_procs=8 pin_cpus=0,1,2,3,4,5,6,7 [worker-2] type=worker host=localhost interface=ens512f1 lb_method=pf_ring lb_procs=8 pin_cpus=8,9,10,11,12,13,14,15 [worker-3] type=worker host=localhost interface=ens512f1 lb_method=pf_ring lb_procs=8 pin_cpus=16,17,18,19,20,21,22,23 [worker-4] type=worker host=localhost interface=ens512f1 lb_method=pf_ring lb_procs=4 pin_cpus=24,25,26,27,28,29,30,31 If I run all threads on single worker like this: [worker] type=worker host=localhost interface=ens512f1 lb_method=pf_ring lb_procs=32 pin_cpus=0,1,2,3,4,5,6,....31 What's the difference between all threads on a single worker vs threads on multiple workers? When I use threads on multiple workers on a single server, is there any difference one and multiple proxy? Any insight would be helpful. Xu Guo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/e1a8ac00/attachment.html From sebclaut at gmail.com Fri Sep 9 03:49:15 2016 From: sebclaut at gmail.com (clautos) Date: Fri, 9 Sep 2016 12:49:15 +0200 Subject: [Bro] loading modules and automatically using custom scripts (clautos) In-Reply-To: References: Message-ID: Ok so I tried something. I downloaded audacity, notepad++, 7zip (in HTTP from filehippo not from the official sites to make sure it's HTTP download). I captured the downlaod with wireshark, and I found the PE in the pcap, even with bro -r extract_file. When I just load the extract_file plugin and download my exe files, the extracted files are incomplete (they are much smaller than the real ones). In addition to that, I suspected that it might have been caused by the -C option but even without this option, my bro -r pcapfile.pcap extract_file module could extract the whole executable. In interactive mode though, I don't extract the whole executable. tldr: The live capture doesn't extract the whole file but the bro -r pcapfile.pcap path/extract_file does work 2016-09-08 16:05 GMT+02:00 Seth Hall : > > > On Sep 8, 2016, at 5:49 AM, clautos wrote: > > > > When I download audacity (.exe) through HTTP, I get an inccorect .exe > file. The original file has a size of 26.5 MB and what I collect in my > "extract_files" folder has a size of 1.4 kB. Obviously the md5sums mismatch. > > It's very possible that you encountered packet loss. You can either look > at the "missed_bytes" field in conn.log or the "missing_bytes" field in the > files.log. If either of those aren't zero, then you probably dropped > packets. > > Damn, now that I look at those field names, we ended up naming them > unfortunately different. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/c5d476df/attachment.html From sebclaut at gmail.com Fri Sep 9 04:02:07 2016 From: sebclaut at gmail.com (clautos) Date: Fri, 9 Sep 2016 13:02:07 +0200 Subject: [Bro] loading modules and automatically using custom scripts (clautos) In-Reply-To: References: Message-ID: Ok so I added the -C option to my brocfg and it works now. I got abused by my tests. My bro installation does not check the checksums at all and I can capture all the files correctly. 2016-09-09 12:49 GMT+02:00 clautos : > Ok so I tried something. I downloaded audacity, notepad++, 7zip (in HTTP > from filehippo not from the official sites to make sure it's HTTP download). > I captured the downlaod with wireshark, and I found the PE in the pcap, > even with bro -r extract_file. > When I just load the extract_file plugin and download my exe files, the > extracted files are incomplete (they are much smaller than the real ones). > In addition to that, I suspected that it might have been caused by the -C > option but even without this option, my bro -r pcapfile.pcap extract_file > module could extract the whole executable. > In interactive mode though, I don't extract the whole executable. > > tldr: The live capture doesn't extract the whole file but the bro -r > pcapfile.pcap path/extract_file does work > > 2016-09-08 16:05 GMT+02:00 Seth Hall : > >> >> > On Sep 8, 2016, at 5:49 AM, clautos wrote: >> > >> > When I download audacity (.exe) through HTTP, I get an inccorect .exe >> file. The original file has a size of 26.5 MB and what I collect in my >> "extract_files" folder has a size of 1.4 kB. Obviously the md5sums mismatch. >> >> It's very possible that you encountered packet loss. You can either look >> at the "missed_bytes" field in conn.log or the "missing_bytes" field in the >> files.log. If either of those aren't zero, then you probably dropped >> packets. >> >> Damn, now that I look at those field names, we ended up naming them >> unfortunately different. >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro.org/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/5d9bc4e0/attachment.html From philosnef at yahoo.com Fri Sep 9 07:47:35 2016 From: philosnef at yahoo.com (philosnef) Date: Fri, 9 Sep 2016 14:47:35 +0000 (UTC) Subject: [Bro] problem with cpu pinning References: <327464285.2374790.1473432455394.ref@mail.yahoo.com> Message-ID: <327464285.2374790.1473432455394@mail.yahoo.com> When I try to pin cpus, they do not actually pin at all. I pinned cpus 0-19 (40 cores), but the cores used are 20-39. So then I pinned even number cores, (0,2 4,6,so on), and the cores used are STILL 20-39. No matter what I pin the cpus to, they always end up on 20-39. Any ideas what is going on? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/6b60880e/attachment.html From brot212 at googlemail.com Fri Sep 9 08:35:29 2016 From: brot212 at googlemail.com (Dane Wullen) Date: Fri, 9 Sep 2016 17:35:29 +0200 Subject: [Bro] IDE/Editor for Bro In-Reply-To: References: <5da61f43-8677-595f-7bfb-4c15fa31b0b6@googlemail.com> <01000157056e2bd4-a7064e4a-91bb-4eb7-b02c-4e9db9a830f0-000000@email.amazonses.com> <8681F2B5-3D54-42D6-A78E-360FDED4038B@icir.org> Message-ID: <6918b14a-ad50-3e97-4942-c00929d34e1b@googlemail.com> Hey fellas, wow, thank you all for your answers! I will try these editor to see which suits me best! -Dane Am 09.09.2016 um 03:35 schrieb Azoff, Justin S: > >> On Sep 8, 2016, at 4:14 PM, Patrick Kelley >> > wrote: >> >> Atom is pretty solid and has a bro recognition. Free doesn't hurt, >> either. > > Oh! Speaking of atom.. I had written a plugin for linter to parse the > bro -a output... Apparently it was completely broken after not being > updated for a year, but I just re-wrote it from scratch and published > it to the atom package site: > > https://atom.io/packages/linter-bro > > With it installed atom will tell you when you save a bro script that > has errors in it. > > Install linter and linter-bro through the GUI or just run "apm install > linter linter-bro". > > -- > - Justin Azoff > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/e94ae851/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 53440 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/e94ae851/attachment-0001.bin From jazoff at illinois.edu Fri Sep 9 08:44:16 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Fri, 9 Sep 2016 15:44:16 +0000 Subject: [Bro] proxy and worker In-Reply-To: References: Message-ID: <006CC1DE-49A4-480F-93A1-BE9A8DD783C9@illinois.edu> > On Sep 9, 2016, at 5:12 AM, XU Guo? <478682649 at qq.com> wrote: > > Hi all, > I have an issue about proxy and worker.Here is my cluster configuration: > > [manager] > type=manager > host=localhost > > [proxy-1] > type=proxy > host=localhost > > [worker-1] > type=worker > host=localhost > interface=ens512f1 > lb_method=pf_ring > lb_procs=8 > pin_cpus=0,1,2,3,4,5,6,7 > > [worker-2] > type=worker > host=localhost > interface=ens512f1 > lb_method=pf_ring > lb_procs=8 > pin_cpus=8,9,10,11,12,13,14,15 > > > [worker-3] > type=worker > host=localhost > interface=ens512f1 > lb_method=pf_ring > lb_procs=8 > pin_cpus=16,17,18,19,20,21,22,23 > > > [worker-4] > type=worker > host=localhost > interface=ens512f1 > lb_method=pf_ring > lb_procs=4 > pin_cpus=24,25,26,27,28,29,30,31 > The above configuration is not valid. > If I run all threads on single worker like this: > > [worker] > type=worker > host=localhost > interface=ens512f1 > lb_method=pf_ring > lb_procs=32 > pin_cpus=0,1,2,3,4,5,6,....31 > > What's the difference between all threads on a single worker vs threads on multiple workers? As the "procs" in the option indicates, lb_procs creates multiple processes, not threads. The first configuration creates 4 groups of processes that will all see duplicates of the same traffic. You want the 2nd configuration. You also likely do not have a real 32 core system. If that is 32 cores with hyper threading or something, you only want to run about 15 workers. -- - Justin Azoff From dani.nicolo at gmail.com Fri Sep 9 08:48:21 2016 From: dani.nicolo at gmail.com (=?UTF-8?Q?Danilo_Nicol=C3=B2?=) Date: Fri, 9 Sep 2016 17:48:21 +0200 Subject: [Bro] High orig_bytes value In-Reply-To: References: <378371F2-AABC-407A-903D-B64B9F55233B@icir.org> Message-ID: Hello Seth, >> Have you tried just sniffing a single interface and doing load balancing? Could you send the script you're running in packet-bricks? No, I?ve tried to sniff four interfaces, merging them to one and load-balancing on two worker (for now). I used first: Brick.new("Merge") And then: Brick.new("LoadBalancer") The flow works well as programmed, but sometimes that problem of wrong orig_bytes happened. Now I removed packet-bricks layer connecting netmapped-interfaces directly to bro and it?s working well. Thanks for your interest Danilo 2016-09-08 15:49 GMT+02:00 Seth Hall : > > > On Sep 8, 2016, at 4:57 AM, Danilo Nicol? wrote: > > > > Sorry for short information. > > I?m using Packet-bricks + Bro (2.5) + Netmap (plugin) > > Thanks for the explanation of what you're doing, that's helpful. > > > Yesterday I removed Packet-bricks from the chain and the problem was > solved. > > That's good to know. > > > Eth0 --\ > > > > Eth1 ------ Merge -> Slot -> LoadBalance ----- Slot -> Bro worker #1 > > > > Eth2 ---/ > \--- Slot -> Bro worker #2 > > > > Eth3 --/ > > Have you tried just sniffing a single interface and doing load > balancing? Could you send the script you're running in packet-bricks? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/f9df174e/attachment.html From jazoff at illinois.edu Fri Sep 9 08:48:44 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Fri, 9 Sep 2016 15:48:44 +0000 Subject: [Bro] problem with cpu pinning In-Reply-To: <327464285.2374790.1473432455394@mail.yahoo.com> References: <327464285.2374790.1473432455394.ref@mail.yahoo.com> <327464285.2374790.1473432455394@mail.yahoo.com> Message-ID: <106D5300-AF90-4C78-A462-AA8E3A661748@illinois.edu> > On Sep 9, 2016, at 10:47 AM, philosnef wrote: > > When I try to pin cpus, they do not actually pin at all. I pinned cpus 0-19 (40 cores), but the cores used are 20-39. So then I pinned even number cores, (0,2 4,6,so on), and the cores used are STILL 20-39. No matter what I pin the cpus to, they always end up on 20-39. Any ideas what is going on? The only thing the pin cpus option in broctl does is change from running bro directly to running bro using 'taskset -c X ...' Start by seeing if 'taskset -c 10 top' works. -- - Justin Azoff From jdopheid at illinois.edu Fri Sep 9 09:09:21 2016 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Fri, 9 Sep 2016 16:09:21 +0000 Subject: [Bro] =?utf-8?q?BroCon_=E2=80=9916=3A_send_us_your_questions_for_?= =?utf-8?q?the_panel?= Message-ID: <3FEDFA31-890C-46E0-922D-336E2C0D8715@illinois.edu> Bro Community, Are you attending BroCon next week? Great! We look forward to seeing you. Do you have any questions for the Bro Panel on Thursday? Great! Please send them to me so I may forward to the moderator. See you in Austin! Jeannette Dopheide ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign From jedwards2728 at gmail.com Sun Sep 11 02:03:50 2016 From: jedwards2728 at gmail.com (John Edwards) Date: Sun, 11 Sep 2016 19:03:50 +1000 Subject: [Bro] 10Gbps Bro deployment Message-ID: Hi, I will be deploying an instance of Bro onto two fairly powerful Ubuntu servers that sit off a pair of 10Gbps TAP devices. I have only used Bro on a smaller 1Gbps TAP and just deployed it after compiling the source of 2.4.1 and got the file extraction scripts to work. What sort of deployment options should i be considering? The reason i ask is out of the box the Bro's logs seem to be quite light weight in terms of disk usage consumption and they are rotated and gz. I want to put together a deployment document as to how and why i will deploy it. As the TAPs are passive they don't aggregate, they collect both RX and TX fiber but in separate steams so i will need to aggregate the data or bond the interfaces. Then is it best i have Bro running on both systems and built another as the Cluster head? to use Broctl? or having two separate instances of bro 1 per Ubuntu server is ok? The data will be placed back into a large splunk indexer. Thanks for any assistance. Cheers, John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160911/46ef0509/attachment.html From philosnef at yahoo.com Sun Sep 11 12:24:13 2016 From: philosnef at yahoo.com (philosnef) Date: Sun, 11 Sep 2016 19:24:13 +0000 (UTC) Subject: [Bro] Subject: 10Gbps Bro deployment References: <997428785.3258921.1473621853660.ref@mail.yahoo.com> Message-ID: <997428785.3258921.1473621853660@mail.yahoo.com> The problem with Bro is how resource intensive it is to run. On a 1Gb/s stream, you wouldnt need "much" (this is highly relative...). On a 10Gb/s, you really need to identify what your actual throughput is like. For us, our 4.5Gb/s sustained traffic needs ~400gigs of ram and 40 cores. :) About 1/3rd of that goes into cache, but the rest is resident. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160911/44e67d45/attachment.html From sebclaut at gmail.com Mon Sep 12 07:13:08 2016 From: sebclaut at gmail.com (clautos) Date: Mon, 12 Sep 2016 16:13:08 +0200 Subject: [Bro] Incomplete FTP file extraction Message-ID: Hello, I'm trying to extract all the files that transit through my network card over HTTP or FTP. I have no problem with HTTP but with FTP files I get incomplete files. In the capture_loss.log I see packet loss even when I run bro from a PCAP file (and wireshark did not miss packets). The -C option is activated, I retrieve files with the default extraction script from the security-onion install (extract.bro). The file I'm trying to retrieve is a .exe (putty from the ftp download). I tried to download another .exe over FTP and it worked, but my putty.exe can't be extracted completely. I'm a bit confused. Any idea how to retrieve my ftp files ? Maybe I forgot an option ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160912/862c40a3/attachment.html From mus3 at lehigh.edu Mon Sep 12 13:46:26 2016 From: mus3 at lehigh.edu (Munroe Sollog) Date: Mon, 12 Sep 2016 16:46:26 -0400 Subject: [Bro] NSQ plugin getting deprecated in 2.5 Message-ID: I saw a notice in the 2.5 release notes and I read through the June ?16 conversation about the elasticsearch plugin. I wanted to add my $0.02. For people whom are trying to analyze large traffic flows it becomes imperative to not rely on the disk subsystem for transport. Our current flow looks like: Bro -> NSQ -> Logstash-> ElasticSearch We tried to use the Redis plugin first but it was not built in a way that makes it possible to use with Logstash (I have two or three open issues on github). Moving to NSQ was the only way we could really deploy the service. I?m open to switching to a different messaging broker, but I think it is a bit over-ambitious to deprecate a plugin that works perfectly well (for NSQ at least) without having a viable alternative (RELP, a better Redis plugin, a dedicated NSQ plugin). Thanks - Munroe -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160912/2679a8f6/attachment.bin From newfire.bw at gmail.com Mon Sep 12 19:12:10 2016 From: newfire.bw at gmail.com (Bowen Li) Date: Tue, 13 Sep 2016 10:12:10 +0800 Subject: [Bro] Incomplete FTP file extraction In-Reply-To: References: Message-ID: Hi clautos, Recently, I have the same problem when running bro cluster with pf_ring. Finally, I solved it because the port of FTP DATA and CMD is different, maybe you need to hash the same FTP connection to the same thread, so bro can extract the FTP file. Don`t know if this could help you. Bowen Li 2016-09-12 22:13 GMT+08:00 clautos : > Hello, > > I'm trying to extract all the files that transit through my network card > over HTTP or FTP. > I have no problem with HTTP but with FTP files I get incomplete files. > In the capture_loss.log I see packet loss even when I run bro from a PCAP > file (and wireshark did not miss packets). > The -C option is activated, I retrieve files with the default extraction > script from the security-onion install (extract.bro). The file I'm trying > to retrieve is a .exe (putty from the ftp download). > I tried to download another .exe over FTP and it worked, but my putty.exe > can't be extracted completely. I'm a bit confused. > Any idea how to retrieve my ftp files ? Maybe I forgot an option ? > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160913/8e7099f2/attachment.html From daniel.guerra69 at gmail.com Tue Sep 13 00:45:49 2016 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Tue, 13 Sep 2016 09:45:49 +0200 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: References: Message-ID: <861E12DF-9F13-4CD9-A75D-90921DD1E003@gmail.com> Hi Munroe, Too bad its deprecate. There is a running docker example https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/ In the new repo the best way to it would be using the kafka plugin. From kafka you can use an elasticsearch river. Regards, Daniel > On 12 Sep 2016, at 22:46, Munroe Sollog wrote: > > I saw a notice in the 2.5 release notes and I read through the June ?16 conversation about the elasticsearch plugin. I wanted to add my $0.02. For people whom are trying to analyze large traffic flows it becomes imperative to not rely on the disk subsystem for transport. Our current flow looks like: > > Bro -> NSQ -> Logstash-> ElasticSearch > > We tried to use the Redis plugin first but it was not built in a way that makes it possible to use with Logstash (I have two or three open issues on github). Moving to NSQ was the only way we could really deploy the service. I?m open to switching to a different messaging broker, but I think it is a bit over-ambitious to deprecate a plugin that works perfectly well (for NSQ at least) without having a viable alternative (RELP, a better Redis plugin, a dedicated NSQ plugin). > > Thanks > - Munroe > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160913/f87b4401/attachment.html From mus3 at lehigh.edu Tue Sep 13 05:33:57 2016 From: mus3 at lehigh.edu (Munroe Sollog) Date: Tue, 13 Sep 2016 08:33:57 -0400 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: <861E12DF-9F13-4CD9-A75D-90921DD1E003@gmail.com> References: <861E12DF-9F13-4CD9-A75D-90921DD1E003@gmail.com> Message-ID: <15a4ad77-5f67-d014-3ae0-f77edf99bf11@lehigh.edu> You make it sound like it being deprecated has more meaning than someone decided to label it as such. - Munroe On 09/13/2016 03:45 AM, Daniel Guerra wrote: > Hi Munroe, > > > Too bad its deprecate. There is a running docker example > > https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/ > > In the new repo the best way to it would be using the kafka plugin. > From kafka you can use an elasticsearch river. > > Regards, > > Daniel > >> On 12 Sep 2016, at 22:46, Munroe Sollog > wrote: >> >> I saw a notice in the 2.5 release notes and I read through the June ?16 conversation about the >> elasticsearch plugin. I wanted to add my $0.02. For people whom are trying to analyze large >> traffic flows it becomes imperative to not rely on the disk subsystem for transport. Our current >> flow looks like: >> >> Bro -> NSQ -> Logstash-> ElasticSearch >> >> We tried to use the Redis plugin first but it was not built in a way that makes it possible to use >> with Logstash (I have two or three open issues on github). Moving to NSQ was the only way we >> could really deploy the service. I?m open to switching to a different messaging broker, but I >> think it is a bit over-ambitious to deprecate a plugin that works perfectly well (for NSQ at >> least) without having a viable alternative (RELP, a better Redis plugin, a dedicated NSQ plugin). >> >> Thanks >> - Munroe >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Munroe Sollog LTS - Network Analyst x85002 From jlay at slave-tothe-box.net Tue Sep 13 10:31:55 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 13 Sep 2016 11:31:55 -0600 Subject: [Bro] Couple items for ES Message-ID: <05b9c0817b6aa6a9cfae1d5c0058626b@localhost> From the page: https://www.bro.org/sphinx/components/bro-plugins/elasticsearch/README.html ~~~ Installing the ElasticSearch Plugin First, ensure that you have libcurl (headers and library) installed. Then the following will compile and install the plugin alongside Bro: # ./configure && make && make install See the output of ./configure --help for additional options if it can?t find any of the prerequisites. If everything built and installed correctly, you should see this: # bro -N Bro::ElasticSearch Bro::ElasticSearch - ElasticSearch log writer (dynamic, version 1.0) ~~~ 1. Might wanna add the fact that you need to cd to bro-2.4.1/aux/plugins/elasticsearch before the ./configure && make && make install line and 2. Might also wanna specify that the default plugin dir to install in is bro-install-dir/lib/bro/plugins/ James From gl89 at cornell.edu Wed Sep 14 06:07:46 2016 From: gl89 at cornell.edu (Glenn Forbes Fleming Larratt) Date: Wed, 14 Sep 2016 09:07:46 -0400 (EDT) Subject: [Bro] "broctl cron" running every 5 mins, and side effects In-Reply-To: <1F5FE9FA-0F05-4D2B-9285-8377176347FD@illinois.edu> References: <1F5FE9FA-0F05-4D2B-9285-8377176347FD@illinois.edu> Message-ID: Thanks! At the recommendation of my sysadmins, I installed a caching nameserver directly on my manager host - problem solved (for that host). I haven't decided yet whether the workers should use the nameserver on the manager, or each one should run his own, but I think that'll fix things. -g -- Glenn Forbes Fleming Larratt Cornell University IT Security Office On Sat, 3 Sep 2016, Azoff, Justin S wrote: > >> On Sep 2, 2016, at 9:35 AM, Glenn Forbes Fleming Larratt wrote: >> >> Can anyone comment on what "broctl cron" is actually doing? >> >> My DNS admin reported to me that, at 5-minute intervals, my six bro hosts >> (1x manager+proxy, 5 workers) are spewing DNS queries in the thousands, >> all forward and reverse lookups of themselves and each other (sample >> appended). It *seems* to be correlated in time with the running of "broctl >> cron". >> > > broctl cron primarily checks up on the workers via ssh. > > Are you using a bro version earlier than 2.4 ? 2.4 will make one connection per worker box, before that it made one connection for each worker process. > > What you are seeing looks like bro < 2.4 plus ssh having UseDns or VerifyReverseMapping enabled. > > It's also interesting that bro01 is not one of the names in the output, and bro05 appears 5% as often as 2,3,4 are. > > > In general you should be running a local caching resolver (unbound,dnsmasq,etc). Things run better across the board when you are caching dns responses locally and not going out to the network for every lookup. > > From jlay at slave-tothe-box.net Wed Sep 14 08:53:26 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 14 Sep 2016 09:53:26 -0600 Subject: [Bro] Couple items for ES In-Reply-To: <05b9c0817b6aa6a9cfae1d5c0058626b@localhost> References: <05b9c0817b6aa6a9cfae1d5c0058626b@localhost> Message-ID: <10858e5a8e5a36375f5a4beef9826da6@localhost> And a couple more (guess what I'm doing today....) The below fixes dots in field names (id.orig_h for example) with ES 2.4.0: https://www.elastic.co/guide/en/elasticsearch/reference/current/dots-in-names.html a lot of your fields you can map via Kibana, but a couple you can't, namely ts, id.orig_h, id.resp_h. Once that's done here's a curl line to create a mapping template: curl -XPUT "http://localhost:9200/_template/bro_template" -d' { "template": "bro-*", "mappings": { "bro_ts": { "properties": { "ts": { "type": "date", "format": "epoch_millis" } } }, "bro_orig_h": { "properties": { "id.orig_h": { "type": "ip" } } }, "bro_resp_h": { "properties": { "id.resp_h": { "type": "ip" } } } } }' this will allow new indexes to have the above. For me as this is a new install I just nuked all bro-* indexes and started over, THEN I went to Kibana to add bro-* as an index where ts shows as the time-field name: Hope this helps someone in the world :) James On 2016-09-13 11:31, James Lay wrote: > From the page: > > https://www.bro.org/sphinx/components/bro-plugins/elasticsearch/README.html > > ~~~ > Installing the ElasticSearch Plugin > > First, ensure that you have libcurl (headers and library) installed. > Then the following will compile and install the plugin alongside Bro: > > # ./configure && make && make install > See the output of ./configure --help for additional options if it can't > find any of the prerequisites. > > If everything built and installed correctly, you should see this: > > # bro -N Bro::ElasticSearch > Bro::ElasticSearch - ElasticSearch log writer (dynamic, version 1.0) > ~~~ > > 1. Might wanna add the fact that you need to cd to > bro-2.4.1/aux/plugins/elasticsearch before the ./configure && make && > make install line and > 2. Might also wanna specify that the default plugin dir to install in > is bro-install-dir/lib/bro/plugins/ > > James > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160914/823681bb/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 2016-09-13 16_55_04-Settings - Kibana.jpg Type: image/jpeg Size: 120120 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160914/823681bb/attachment-0001.jpg From seth at icir.org Thu Sep 15 07:35:24 2016 From: seth at icir.org (Seth Hall) Date: Thu, 15 Sep 2016 10:35:24 -0400 Subject: [Bro] Couple items for ES In-Reply-To: <10858e5a8e5a36375f5a4beef9826da6@localhost> References: <05b9c0817b6aa6a9cfae1d5c0058626b@localhost> <10858e5a8e5a36375f5a4beef9826da6@localhost> Message-ID: <506CDE15-5963-46EC-9EB1-764BC4DFB89D@icir.org> > On Sep 14, 2016, at 11:53 AM, James Lay wrote: > > a lot of your fields you can map via Kibana, but a couple you can't, namely ts, id.orig_h, id.resp_h. Once that's done here's a curl line to create a mapping template: In 2.5 (beta right now), you can do this... redef Log::default_scope_sep = "_"; That will get rid of periods from your logs field names in all logs. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jlay at slave-tothe-box.net Thu Sep 15 07:40:48 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Thu, 15 Sep 2016 08:40:48 -0600 Subject: [Bro] Couple items for ES In-Reply-To: <506CDE15-5963-46EC-9EB1-764BC4DFB89D@icir.org> References: <05b9c0817b6aa6a9cfae1d5c0058626b@localhost> <10858e5a8e5a36375f5a4beef9826da6@localhost> <506CDE15-5963-46EC-9EB1-764BC4DFB89D@icir.org> Message-ID: <3b3f01021b4e78cc105db8484ae7b2cd@localhost> On 2016-09-15 08:35, Seth Hall wrote: >> On Sep 14, 2016, at 11:53 AM, James Lay >> wrote: >> >> a lot of your fields you can map via Kibana, but a couple you can't, >> namely ts, id.orig_h, id.resp_h. Once that's done here's a curl line >> to create a mapping template: > > In 2.5 (beta right now), you can do this... > redef Log::default_scope_sep = "_"; > > That will get rid of periods from your logs field names in all logs. > > .Seth > > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ Excellent....file that under the "more than one way to skin a cat" category...looking forward to 2.5..thanks Seth. James From mohan.dhawan at gmail.com Thu Sep 15 23:43:06 2016 From: mohan.dhawan at gmail.com (Mohan Dhawan) Date: Fri, 16 Sep 2016 12:13:06 +0530 Subject: [Bro] Bro HTTPS analyzer Message-ID: Dear All, I wish to analyze HTTPS traffic with Bro and want to know what specific changes might need to be done to the existing HTTP analyzer framework. Thanks for the help. Regards, mohan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/dc077468/attachment.bin From anthony.kasza at gmail.com Fri Sep 16 01:58:13 2016 From: anthony.kasza at gmail.com (anthony kasza) Date: Fri, 16 Sep 2016 04:58:13 -0400 Subject: [Bro] Bro HTTPS analyzer In-Reply-To: References: Message-ID: This really depends on your HTTP traffic. Bro handles the majority of HTTP cleanly directly out of the box. Have you tried feeding Bro some same trace files to see what shows up in the http.log file? -AK On Sep 16, 2016 2:45 AM, "Mohan Dhawan" wrote: > Dear All, > > I wish to analyze HTTPS traffic with Bro and want to know what specific > changes might need to be done to the existing HTTP analyzer framework. > > Thanks for the help. > > Regards, > mohan > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/11f04157/attachment.html From daniel.manzo at bayer.com Fri Sep 16 06:25:58 2016 From: daniel.manzo at bayer.com (Daniel Manzo) Date: Fri, 16 Sep 2016 13:25:58 +0000 Subject: [Bro] Ip-based Message-ID: <2C7473428EFB4348960ACC47FDC529451ACC43CE@MOXCXR.na.bayer.cnb> Hi all, Just to verify before setting up Bro, this IDS is not IP-based, correct? It looks like it is not, but I just want to be certain. Thanks, Dan Manzo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/049a3c06/attachment.html From k2 at korrosivesecurity.com Fri Sep 16 06:45:42 2016 From: k2 at korrosivesecurity.com (K2) Date: Fri, 16 Sep 2016 08:45:42 -0500 Subject: [Bro] Ip-based In-Reply-To: <2C7473428EFB4348960ACC47FDC529451ACC43CE@MOXCXR.na.bayer.cnb> References: <2C7473428EFB4348960ACC47FDC529451ACC43CE@MOXCXR.na.bayer.cnb> Message-ID: <1474033542.2536909.727804513.31A76C11@webmail.messagingengine.com> What do you mean by IP-based? Are you asking if it is designed for intrusion prevention? The answer to that would be no. Bro gives you pretty much all the information you'd ever want to know about your network traffic, but leaves it to the analyst to decide what is good and what is bad. Kory On Fri, Sep 16, 2016, at 08:25 AM, Daniel Manzo wrote: > Hi all, > > Just to verify before setting up Bro, this IDS is not IP-based, > correct? It looks like it is not, but I just want to be certain. > > Thanks, > > Dan Manzo > _________________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/ae7e3a57/attachment.html From daniel.manzo at bayer.com Fri Sep 16 06:59:46 2016 From: daniel.manzo at bayer.com (Daniel Manzo) Date: Fri, 16 Sep 2016 13:59:46 +0000 Subject: [Bro] Ip-based In-Reply-To: <1474033542.2536909.727804513.31A76C11@webmail.messagingengine.com> References: <2C7473428EFB4348960ACC47FDC529451ACC43CE@MOXCXR.na.bayer.cnb> <1474033542.2536909.727804513.31A76C11@webmail.messagingengine.com> Message-ID: <2C7473428EFB4348960ACC47FDC529451ACC4404@MOXCXR.na.bayer.cnb> Okay, I meant IP address based. By that I mean - are there any settings or configuration files that require specific IPs to be set in order for Bro to work? I'm trying to explain to my colleague how Bro works, but having a hard time myself. From my understanding it doesn't need any IP addresses, and will monitor whatever traffic is incoming from the server's NICs. Is this correct? Thanks, Dan Manzo From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of K2 Sent: Friday, September 16, 2016 9:46 AM To: bro at bro.org Subject: Re: [Bro] Ip-based What do you mean by IP-based? Are you asking if it is designed for intrusion prevention? The answer to that would be no. Bro gives you pretty much all the information you'd ever want to know about your network traffic, but leaves it to the analyst to decide what is good and what is bad. Kory On Fri, Sep 16, 2016, at 08:25 AM, Daniel Manzo wrote: Hi all, Just to verify before setting up Bro, this IDS is not IP-based, correct? It looks like it is not, but I just want to be certain. Thanks, Dan Manzo _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/d78a97f8/attachment-0001.html From k2 at korrosivesecurity.com Fri Sep 16 07:12:02 2016 From: k2 at korrosivesecurity.com (K2) Date: Fri, 16 Sep 2016 09:12:02 -0500 Subject: [Bro] Ip-based In-Reply-To: <2C7473428EFB4348960ACC47FDC529451ACC4404@MOXCXR.na.bayer.cnb> References: <2C7473428EFB4348960ACC47FDC529451ACC43CE@MOXCXR.na.bayer.cnb> <1474033542.2536909.727804513.31A76C11@webmail.messagingengine.com> <2C7473428EFB4348960ACC47FDC529451ACC4404@MOXCXR.na.bayer.cnb> Message-ID: <1474035122.2544615.727837113.4FB56F7E@webmail.messagingengine.com> Ah. You are correct, the listening interface can be set to promiscuous mode without having any assigned IP. Bro will analyze anything that that interface receives. On Fri, Sep 16, 2016, at 08:59 AM, Daniel Manzo wrote: > Okay, I meant IP address based. By that I mean - are there any > settings or configuration files that require specific IPs to be set in > order for Bro to work? I?m trying to explain to my colleague how Bro > works, but having a hard time myself. From my understanding it doesn?t > need any IP addresses, and will monitor whatever traffic is incoming > from the server?s NICs. Is this correct? > > Thanks, > Dan Manzo > > *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of > *K2 *Sent:* Friday, September 16, 2016 9:46 AM *To:* bro at bro.org > *Subject:* Re: [Bro] Ip-based > > What do you mean by IP-based? Are you asking if it is designed for > intrusion prevention? The answer to that would be no. > > Bro gives you pretty much all the information you'd ever want to know > about your network traffic, but leaves it to the analyst to decide > what is good and what is bad. > > Kory > > On Fri, Sep 16, 2016, at 08:25 AM, Daniel Manzo wrote: >> Hi all, >> >> Just to verify before setting up Bro, this IDS is not IP-based, >> correct? It looks like it is not, but I just want to be certain. >> >> Thanks, >> >> Dan Manzo >> _________________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/86bfcd56/attachment.html From philosnef at yahoo.com Fri Sep 16 07:20:29 2016 From: philosnef at yahoo.com (philosnef) Date: Fri, 16 Sep 2016 14:20:29 +0000 (UTC) Subject: [Bro] Bro HTTPS analyzer In-Reply-To: References: Message-ID: <927609994.2182639.1474035629449@mail.yahoo.com> Generally, you do not "process" https traffic with Bro. Either you break it out, or you just look peripherally at the traffic (things like certificate information, conn tracking). If you truly want to do full inspection of https, you need an ssl proxy or breakout solution. Once it is broken out, there is nothing you need to do. Bro reads it exactly the same as any other http traffic. On Friday, September 16, 2016 10:00 AM, "bro-request at bro.org" wrote: Send Bro mailing list submissions to ??? bro at bro.org To subscribe or unsubscribe via the World Wide Web, visit ??? http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro or, via email, send a message with subject or body 'help' to ??? bro-request at bro.org You can reach the person managing the list at ??? bro-owner at bro.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Bro digest..." Today's Topics: ? 1. Bro HTTPS analyzer (Mohan Dhawan) ? 2. Re: Bro HTTPS analyzer (anthony kasza) ? 3. Ip-based (Daniel Manzo) ? 4. Re: Ip-based (K2) ? 5. Re: Ip-based (Daniel Manzo) ---------------------------------------------------------------------- Message: 1 Date: Fri, 16 Sep 2016 12:13:06 +0530 From: Mohan Dhawan Subject: [Bro] Bro HTTPS analyzer To: bro at bro.org Message-ID: Content-Type: text/plain; charset="utf-8" Dear All, I wish to analyze HTTPS traffic with Bro and want to know what specific changes might need to be done to the existing HTTP analyzer framework. Thanks for the help. Regards, mohan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/dc077468/attachment-0001.bin ------------------------------ Message: 2 Date: Fri, 16 Sep 2016 04:58:13 -0400 From: anthony kasza Subject: Re: [Bro] Bro HTTPS analyzer To: Mohan Dhawan Cc: bro at bro.org Message-ID: ??? Content-Type: text/plain; charset="utf-8" This really depends on your HTTP traffic. Bro handles the majority of HTTP cleanly directly out of the box. Have you tried feeding Bro some same trace files to see what shows up in the http.log file? -AK On Sep 16, 2016 2:45 AM, "Mohan Dhawan" wrote: > Dear All, > > I wish to analyze HTTPS traffic with Bro and want to know what specific > changes might need to be done to the existing HTTP analyzer framework. > > Thanks for the help. > > Regards, > mohan > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/11f04157/attachment-0001.html ------------------------------ Message: 3 Date: Fri, 16 Sep 2016 13:25:58 +0000 From: Daniel Manzo Subject: [Bro] Ip-based To: "bro at bro.org" Message-ID: ??? <2C7473428EFB4348960ACC47FDC529451ACC43CE at MOXCXR.na.bayer.cnb> Content-Type: text/plain; charset="us-ascii" Hi all, Just to verify before setting up Bro, this IDS is not IP-based, correct? It looks like it is not, but I just want to be certain. Thanks, Dan Manzo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/049a3c06/attachment-0001.html ------------------------------ Message: 4 Date: Fri, 16 Sep 2016 08:45:42 -0500 From: K2 Subject: Re: [Bro] Ip-based To: bro at bro.org Message-ID: ??? <1474033542.2536909.727804513.31A76C11 at webmail.messagingengine.com> Content-Type: text/plain; charset="us-ascii" What do you mean by IP-based?? Are you asking if it is designed for intrusion prevention?? The answer to that would be no. Bro gives you pretty much all the information you'd ever want to know about your network traffic, but leaves it to the analyst to decide what is good and what is bad. Kory On Fri, Sep 16, 2016, at 08:25 AM, Daniel Manzo wrote: > Hi all, > > Just to verify before setting up Bro, this IDS is not IP-based, > correct? It looks like it is not, but I just want to be certain. > > Thanks, > > Dan Manzo > _________________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/ae7e3a57/attachment-0001.html ------------------------------ Message: 5 Date: Fri, 16 Sep 2016 13:59:46 +0000 From: Daniel Manzo Subject: Re: [Bro] Ip-based To: K2 , "bro at bro.org" Message-ID: ??? <2C7473428EFB4348960ACC47FDC529451ACC4404 at MOXCXR.na.bayer.cnb> Content-Type: text/plain; charset="us-ascii" Okay, I meant IP address based. By that I mean - are there any settings or configuration files that require specific IPs to be set in order for Bro to work? I'm trying to explain to my colleague how Bro works, but having a hard time myself. From my understanding it doesn't need any IP addresses, and will monitor whatever traffic is incoming from the server's NICs. Is this correct? Thanks, Dan Manzo From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of K2 Sent: Friday, September 16, 2016 9:46 AM To: bro at bro.org Subject: Re: [Bro] Ip-based What do you mean by IP-based?? Are you asking if it is designed for intrusion prevention?? The answer to that would be no. Bro gives you pretty much all the information you'd ever want to know about your network traffic, but leaves it to the analyst to decide what is good and what is bad. Kory On Fri, Sep 16, 2016, at 08:25 AM, Daniel Manzo wrote: Hi all, Just to verify before setting up Bro, this IDS is not IP-based, correct? It looks like it is not, but I just want to be certain. Thanks, Dan Manzo _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/d78a97f8/attachment.html ------------------------------ _______________________________________________ Bro mailing list Bro at bro.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro End of Bro Digest, Vol 125, Issue 18 ************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/e5fbf4bc/attachment-0001.html From dopheide at gmail.com Fri Sep 16 07:56:59 2016 From: dopheide at gmail.com (Mike Dopheide) Date: Fri, 16 Sep 2016 09:56:59 -0500 Subject: [Bro] Ip-based In-Reply-To: <1474035122.2544615.727837113.4FB56F7E@webmail.messagingengine.com> References: <2C7473428EFB4348960ACC47FDC529451ACC43CE@MOXCXR.na.bayer.cnb> <1474033542.2536909.727804513.31A76C11@webmail.messagingengine.com> <2C7473428EFB4348960ACC47FDC529451ACC4404@MOXCXR.na.bayer.cnb> <1474035122.2544615.727837113.4FB56F7E@webmail.messagingengine.com> Message-ID: You should consider setting your local subnets in $BROPATH/etc/networks.cfg For some policies that helps Bro know what to treat as local hosts versus external. Dop On Friday, September 16, 2016, K2 wrote: > Ah. You are correct, the listening interface can be set to promiscuous > mode without having any assigned IP. Bro will analyze anything that that > interface receives. > > > On Fri, Sep 16, 2016, at 08:59 AM, Daniel Manzo wrote: > > Okay, I meant IP address based. By that I mean - are there any settings or > configuration files that require specific IPs to be set in order for Bro to > work? I?m trying to explain to my colleague how Bro works, but having a > hard time myself. From my understanding it doesn?t need any IP addresses, > and will monitor whatever traffic is incoming from the server?s NICs. Is > this correct? > > > > Thanks, > > Dan Manzo > > > > *From:* bro-bounces at bro.org > [mailto: > bro-bounces at bro.org ] > *On Behalf Of *K2 > *Sent:* Friday, September 16, 2016 9:46 AM > *To:* bro at bro.org > *Subject:* Re: [Bro] Ip-based > > > > What do you mean by IP-based? Are you asking if it is designed for > intrusion prevention? The answer to that would be no. > > > > Bro gives you pretty much all the information you'd ever want to know > about your network traffic, but leaves it to the analyst to decide what is > good and what is bad. > > > > Kory > > > > On Fri, Sep 16, 2016, at 08:25 AM, Daniel Manzo wrote: > > Hi all, > > > > Just to verify before setting up Bro, this IDS is not IP-based, correct? > It looks like it is not, but I just want to be certain. > > > > Thanks, > > > > Dan Manzo > > *_______________________________________________* > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/32b883e1/attachment.html From gordonjamesr at gmail.com Fri Sep 16 10:42:33 2016 From: gordonjamesr at gmail.com (James Gordon) Date: Fri, 16 Sep 2016 13:42:33 -0400 Subject: [Bro] Issues with intel framework Message-ID: <080407FF-AAA8-4EA1-8671-AB3F75777E15@gmail.com> Hi all, I?m running Bro on a fairly new distributed security onion setup - we have 3 sensors running bro in our environment. We?re running bro version 2.4.1. I?ve been wanting to add Critical Stack?s intel agent into our stack, but wanted to test how the intel framework works before we set it all up. To test the framework, I added a test domain (www.reddit.com) and two test IP addresses to intel.dat. I also downloaded and formatted a list of known malicious domains using the instructions found here: http://www.pintumbler.org/words/broagentforsguil-nowsupportsintellog, and saved this file in $bropath/share/bro/intel/intel_domans.dat. To test this list, I appended an entry for www.linux.com. All these files are tab delimited. We?re having two large reliability issues with the intel framework: 1 - My rule for the reddit.com domain in intel.dat fires sporadically, and it seems like only for certain subnets / end users. I can not get that alert to trip for me by browsing to reddit.com, despite seeing these connections in http.log and conn.log. The rules for Intel::ADDR in intel.dat never fire, even though we do see connections to those addresses in conn.log. Where can I look for what may be causing this unreliable intel alerting? Obviously intel.dat is loaded correctly as reddit.com generates intel hits for *some* users. I haven?t done anything to whitelist IP?s or subnets from alerting (I don't even know where to do this). 2 - This could be the exact same problem as #1, but I don?t seem to be getting any alerts from my intel_domains.dat file that I created. I tested this by adding www.linux.com as an intel rule, and it could just be that none of my user base that seems to be capable of generating alerts is visiting linux.com. I want to verify that I loaded this new file correctly. The attached text file contains redacted information from our bro logs. I have my IP, and other endpoints that either have or should be generating alerts, and our proxy IP defined at the top. The first section should demonstrate that my IP is not generating intel hits even though the logs are present, and that others are generating intel hits. The second section is evidence of the Intel::ADDR rules that fail to fire at all. The third section is the __load__.bro file which I assume is all I need to modify in order to load my new intel_domains.dat file, created following the link above. Please let me know if any more specific information could help pinpoint this issue and I?d be happy to provide! I?m excited to use Bro to identify (potential) compromise and hunt for other interesting things in my environment, but don?t want to jump the gun and implement intel when it doesn?t seem to be working reliably for us. Thanks, James Gordon -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Intel Issues - Redacted.txt Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/0a7f67e2/attachment.txt From jazoff at illinois.edu Fri Sep 16 11:23:32 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Fri, 16 Sep 2016 18:23:32 +0000 Subject: [Bro] Issues with intel framework In-Reply-To: <080407FF-AAA8-4EA1-8671-AB3F75777E15@gmail.com> References: <080407FF-AAA8-4EA1-8671-AB3F75777E15@gmail.com> Message-ID: <28DD22CB-B27F-4591-B157-623A04B22C77@illinois.edu> > On Sep 16, 2016, at 1:42 PM, James Gordon wrote: > > Hi all, > > I?m running Bro on a fairly new distributed security onion setup - we have 3 sensors running bro in our environment. We?re running bro version 2.4.1. I?ve been wanting to add Critical Stack?s intel agent into our stack, but wanted to test how the intel framework works before we set it all up. To test the framework, I added a test domain (www.reddit.com) and two test IP addresses to intel.dat. I also downloaded and formatted a list of known malicious domains using the instructions found here: http://www.pintumbler.org/words/broagentforsguil-nowsupportsintellog, and saved this file in $bropath/share/bro/intel/intel_domans.dat. To test this list, I appended an entry for www.linux.com. All these files are tab delimited. We?re having two large reliability issues with the intel framework: > > 1 - My rule for the reddit.com domain in intel.dat fires sporadically, and it seems like only for certain subnets / end users. I can not get that alert to trip for me by browsing to reddit.com, despite seeing these connections in http.log and conn.log. The good news is that bro appears to be working properly, but intel is just not doing what you want (which is much easier to fix than bro not working properly!) It looks like http requests that are not matching are the proxy requests, correct? There is a small discrepancy in the code that logs http requests and the code that feeds into the intel system: The logging code does this: event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5 { ... else if ( name == "HOST" ) # The split is done to remove the occasional port value that shows up here. c$http$host = split_string1(value, /:/)[0]; While the intel code uses 'value' as is without stripping the port. If your client is sending the host header as www.reddit.com:443 that would cause this to not match. If you add an entry to your intel file for www.reddit.com:443 does that fix that problem? If it does, it's a simple fix to intel/seen/http-headers.bro to remove the port as well. I filed an issue to look into this: https://bro-tracker.atlassian.net/browse/BIT-1695 > The rules for Intel::ADDR in intel.dat never fire, even though we do see connections to those addresses in conn.log. The default behavior for connections in intel is that it only alerts for established connections. The two log entries you have there are failed connections. You can easily have it alert on failed inbound and failed outbound connections if you wanted though. I thought we had a script for that somewhere.. It would basically be the same as the ./policy/frameworks/intel/seen/conn-established.bro but using connection_attempt instead of connection_established.. something like event connection_attempt(c: connection) { Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]); Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]); } Or maybe just only one of orig/resp.. it likely depends on exactly what you care about :-) -- - Justin Azoff From gordonjamesr at gmail.com Fri Sep 16 11:59:18 2016 From: gordonjamesr at gmail.com (James Gordon) Date: Fri, 16 Sep 2016 14:59:18 -0400 Subject: [Bro] Issues with intel framework In-Reply-To: <28DD22CB-B27F-4591-B157-623A04B22C77@illinois.edu> References: <080407FF-AAA8-4EA1-8671-AB3F75777E15@gmail.com> <28DD22CB-B27F-4591-B157-623A04B22C77@illinois.edu> Message-ID: <678D5BB6-A6BC-4198-8B52-7873401ECD17@gmail.com> Thanks Justin! Adding an entry for www.reddit.com:443 seemed to do the trick. I?ll experiment with removing the port from the http-headers.bro file in a test environment so that we don?t have to add duplicate entries for all https sites. Unfortunately, I added another entry in the intel_domains.dat file for www.linux.com:443, and that still is not firing intel hits. I have '@load intel' in my local.bro file, and I modified intel?s __load__.bro to include the new intel_domains.dat (as found in the original attachment). Is that all that should be necessary to load a new .dat into the intel framework? Also, thanks for explaining the way connections are alerted on! I see value in alerting on failed outbound connections that we?re suspicious about. This is probably a dumb question, but should I replace $bropath/policy/frameworks/intel/seen/conn-established.bro with a conn-attempted.bro, or will it be necessary to use both if I want to be alerted on both successful and attempted connections? Thanks again, James Gordon > On Sep 16, 2016, at 2:23 PM, Azoff, Justin S wrote: > > >> On Sep 16, 2016, at 1:42 PM, James Gordon wrote: >> >> Hi all, >> >> I?m running Bro on a fairly new distributed security onion setup - we have 3 sensors running bro in our environment. We?re running bro version 2.4.1. I?ve been wanting to add Critical Stack?s intel agent into our stack, but wanted to test how the intel framework works before we set it all up. To test the framework, I added a test domain (www.reddit.com) and two test IP addresses to intel.dat. I also downloaded and formatted a list of known malicious domains using the instructions found here: http://www.pintumbler.org/words/broagentforsguil-nowsupportsintellog, and saved this file in $bropath/share/bro/intel/intel_domans.dat. To test this list, I appended an entry for www.linux.com. All these files are tab delimited. We?re having two large reliability issues with the intel framework: >> >> 1 - My rule for the reddit.com domain in intel.dat fires sporadically, and it seems like only for certain subnets / end users. I can not get that alert to trip for me by browsing to reddit.com, despite seeing these connections in http.log and conn.log. > > The good news is that bro appears to be working properly, but intel is just not doing what you want (which is much easier to fix than bro not working properly!) > > It looks like http requests that are not matching are the proxy requests, correct? There is a small discrepancy in the code that logs http requests and the code that feeds into the intel system: > > The logging code does this: > > event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5 > { > ... > else if ( name == "HOST" ) > # The split is done to remove the occasional port value that shows up here. > c$http$host = split_string1(value, /:/)[0]; > > While the intel code uses 'value' as is without stripping the port. If your client is sending the host header as www.reddit.com:443 that would cause this to not match. > > If you add an entry to your intel file for www.reddit.com:443 does that fix that problem? > > If it does, it's a simple fix to intel/seen/http-headers.bro to remove the port as well. I filed an issue to look into this: > > https://bro-tracker.atlassian.net/browse/BIT-1695 > > >> The rules for Intel::ADDR in intel.dat never fire, even though we do see connections to those addresses in conn.log. > > The default behavior for connections in intel is that it only alerts for established connections. The two log entries you have there are failed connections. You can easily have it alert on failed inbound and failed outbound connections if you wanted though. I thought we had a script for that somewhere.. It would basically be the same as the ./policy/frameworks/intel/seen/conn-established.bro but using connection_attempt instead of connection_established.. something like > > event connection_attempt(c: connection) > { > Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]); > Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]); > } > > Or maybe just only one of orig/resp.. it likely depends on exactly what you care about :-) > > > -- > - Justin Azoff > From anthony.kasza at gmail.com Fri Sep 16 12:46:09 2016 From: anthony.kasza at gmail.com (anthony kasza) Date: Fri, 16 Sep 2016 15:46:09 -0400 Subject: [Bro] Issues with intel framework In-Reply-To: <678D5BB6-A6BC-4198-8B52-7873401ECD17@gmail.com> References: <080407FF-AAA8-4EA1-8671-AB3F75777E15@gmail.com> <28DD22CB-B27F-4591-B157-623A04B22C77@illinois.edu> <678D5BB6-A6BC-4198-8B52-7873401ECD17@gmail.com> Message-ID: If I recall, the Intel framework is based on a seen script. You could easily draft your own extension script to strip port numbers, paths, or schema off HTTP Host headers using the url decompose script. Examples of Intel extensions are floating around on GitHub. -AK On Sep 16, 2016 3:14 PM, "James Gordon" wrote: > Thanks Justin! > > Adding an entry for www.reddit.com:443 seemed to do the trick. I?ll > experiment with removing the port from the http-headers.bro file in a test > environment so that we don?t have to add duplicate entries for all https > sites. Unfortunately, I added another entry in the intel_domains.dat file > for www.linux.com:443, and that still is not firing intel hits. I have > '@load intel' in my local.bro file, and I modified intel?s __load__.bro to > include the new intel_domains.dat (as found in the original attachment). Is > that all that should be necessary to load a new .dat into the intel > framework? > > Also, thanks for explaining the way connections are alerted on! I see > value in alerting on failed outbound connections that we?re suspicious > about. > This is probably a dumb question, but should I replace > $bropath/policy/frameworks/intel/seen/conn-established.bro with a > conn-attempted.bro, or will it be necessary to use both if I want to be > alerted on both successful and attempted connections? > > Thanks again, > > James Gordon > > > > > On Sep 16, 2016, at 2:23 PM, Azoff, Justin S > wrote: > > > > > >> On Sep 16, 2016, at 1:42 PM, James Gordon > wrote: > >> > >> Hi all, > >> > >> I?m running Bro on a fairly new distributed security onion setup - we > have 3 sensors running bro in our environment. We?re running bro version > 2.4.1. I?ve been wanting to add Critical Stack?s intel agent into our > stack, but wanted to test how the intel framework works before we set it > all up. To test the framework, I added a test domain (www.reddit.com) and > two test IP addresses to intel.dat. I also downloaded and formatted a list > of known malicious domains using the instructions found here: > http://www.pintumbler.org/words/broagentforsguil-nowsupportsintellog, and > saved this file in $bropath/share/bro/intel/intel_domans.dat. To test > this list, I appended an entry for www.linux.com. All these files are tab > delimited. We?re having two large reliability issues with the intel > framework: > >> > >> 1 - My rule for the reddit.com domain in intel.dat fires sporadically, > and it seems like only for certain subnets / end users. I can not get that > alert to trip for me by browsing to reddit.com, despite seeing these > connections in http.log and conn.log. > > > > The good news is that bro appears to be working properly, but intel is > just not doing what you want (which is much easier to fix than bro not > working properly!) > > > > It looks like http requests that are not matching are the proxy > requests, correct? There is a small discrepancy in the code that logs http > requests and the code that feeds into the intel system: > > > > The logging code does this: > > > > event http_header(c: connection, is_orig: bool, name: string, value: > string) &priority=5 > > { > > ... > > else if ( name == "HOST" ) > > # The split is done to remove the occasional port value that > shows up here. > > c$http$host = split_string1(value, /:/)[0]; > > > > While the intel code uses 'value' as is without stripping the port. If > your client is sending the host header as www.reddit.com:443 that would > cause this to not match. > > > > If you add an entry to your intel file for www.reddit.com:443 does that > fix that problem? > > > > If it does, it's a simple fix to intel/seen/http-headers.bro to remove > the port as well. I filed an issue to look into this: > > > > https://bro-tracker.atlassian.net/browse/BIT-1695 > > > > > >> The rules for Intel::ADDR in intel.dat never fire, even though we do > see connections to those addresses in conn.log. > > > > The default behavior for connections in intel is that it only alerts for > established connections. The two log entries you have there are failed > connections. You can easily have it alert on failed inbound and failed > outbound connections if you wanted though. I thought we had a script for > that somewhere.. It would basically be the same as the > ./policy/frameworks/intel/seen/conn-established.bro but using > connection_attempt instead of connection_established.. something like > > > > event connection_attempt(c: connection) > > { > > Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]); > > Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]); > > } > > > > Or maybe just only one of orig/resp.. it likely depends on exactly what > you care about :-) > > > > > > -- > > - Justin Azoff > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/30e7bdd8/attachment.html From jazoff at illinois.edu Fri Sep 16 12:49:04 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Fri, 16 Sep 2016 19:49:04 +0000 Subject: [Bro] Issues with intel framework In-Reply-To: <678D5BB6-A6BC-4198-8B52-7873401ECD17@gmail.com> References: <080407FF-AAA8-4EA1-8671-AB3F75777E15@gmail.com> <28DD22CB-B27F-4591-B157-623A04B22C77@illinois.edu> <678D5BB6-A6BC-4198-8B52-7873401ECD17@gmail.com> Message-ID: > On Sep 16, 2016, at 2:59 PM, James Gordon wrote: > > Thanks Justin! > > Adding an entry for www.reddit.com:443 seemed to do the trick. I?ll experiment with removing the port from the http-headers.bro file in a test environment so that we don?t have to add duplicate entries for all https sites. Unfortunately, I added another entry in the intel_domains.dat file for www.linux.com:443, and that still is not firing intel hits. Is www.linux.com or www.linux.com:443 showing up anywhere? It should be in at least some of the dns/http/ssl logs > I have '@load intel' in my local.bro file, and I modified intel?s __load__.bro to include the new intel_domains.dat (as found in the original attachment). Is that all that should be necessary to load a new .dat into the intel framework? Don't modify any of the installed scripts. If you want to load an additional intel file use redef Intel::read_files += { "/some/filename.dat" }; in your local.bro or another script that you load from your local.bro To avoid hardcoding the full path you can use redef Intel::read_files += { fmt("%s/filename.dat", @DIR) }; > Also, thanks for explaining the way connections are alerted on! I see value in alerting on failed outbound connections that we?re suspicious about. > This is probably a dumb question, but should I replace $bropath/policy/frameworks/intel/seen/conn-established.bro with a conn-attempted.bro, or will it be necessary to use both if I want to be alerted on both successful and attempted connections? > > Thanks again, > > James Gordon > You'll need both. Create a intel-conn-attempted.bro file next to your local.bro and include the code there. -- - Justin Azoff From jan.grashoefer at gmail.com Fri Sep 16 14:24:58 2016 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Fri, 16 Sep 2016 23:24:58 +0200 Subject: [Bro] Issues with intel framework In-Reply-To: References: <080407FF-AAA8-4EA1-8671-AB3F75777E15@gmail.com> <28DD22CB-B27F-4591-B157-623A04B22C77@illinois.edu> <678D5BB6-A6BC-4198-8B52-7873401ECD17@gmail.com> Message-ID: <2d24faa1-87a0-ada9-8921-cde3f933b441@gmail.com> > You'll need both. Create a intel-conn-attempted.bro file next to your local.bro and include the code there. I guess this use case might be quite common. I would vote for adding a conn-attempted.bro to the seen scripts but require explicit loading. Jan From robin at icir.org Fri Sep 16 14:50:07 2016 From: robin at icir.org (Robin Sommer) Date: Fri, 16 Sep 2016 14:50:07 -0700 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: References: Message-ID: <20160916215007.GM5321@icir.org> On Mon, Sep 12, 2016 at 16:46 -0400, Munroe Sollog wrote: > that works perfectly well (for NSQ at least) without having a viable > alternative (RELP, a better Redis plugin, a dedicated NSQ plugin). I don't know enough about NSQ/ElasticSearch to say much about the quality of the plugin. Is there a consensus that it works fine with NSQ, but not with ElasticSearch? The older thread seems to suggest that. Note, the problem with the record field separators is addressed by now, Bro 2.5 comes with this new option: https://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.bro.html?highlight=log%3A%3Adefault_scope_sep#id-Log::default_scope_sep I'm wondering if there's anybody who'd be interested in taking over ownership of the plugin. We are planing to move bro-plugins/* into separately distributed Bro packages anyways, using the new Bro package manager. If somebody wanted to take ownership of the plugin that way, they could just starting maintaining a package for it. An option could also be turning it into a NSQ-only plugin? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From tgdesrochers at gmail.com Sat Sep 17 06:30:05 2016 From: tgdesrochers at gmail.com (Tim Desrochers) Date: Sat, 17 Sep 2016 09:30:05 -0400 Subject: [Bro] [bro] SQL InjectionVictim Message-ID: I seem to get a lot of notices for SQL Injection Victim with the Address field as an external IP, a lot of times Amazon, or another large host. Why is this finding "Victims" that are not in my internal network as defined in network.cfg? Is there a way get this to only send notices when an internal host has an SQL attack? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160917/8da11a0e/attachment-0001.html From jazoff at illinois.edu Sun Sep 18 18:51:53 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Mon, 19 Sep 2016 01:51:53 +0000 Subject: [Bro] [bro] SQL InjectionVictim In-Reply-To: References: Message-ID: <803DE1EF-6771-4205-B43D-2AE4593AEEF5@illinois.edu> > On Sep 17, 2016, at 9:30 AM, Tim Desrochers wrote: > > I seem to get a lot of notices for SQL Injection Victim with the Address field as an external IP, a lot of times Amazon, or another large host. Why is this finding "Victims" that are not in my internal network as defined in network.cfg? > > Is there a way get this to only send notices when an internal host has an SQL attack? > If you've set those notices to email by default: hook Notice::policy(n: Notice::Info) { if ( n$note == HTTP::SQL_Injection_Attacker && Site::is_local_addr(n$src)) { n$actions=set(); break; } if ( n$note == HTTP::SQL_Injection_Victim && !Site::is_local_addr(n$src)) { n$actions=set(); break; } } Otherwise you could not add them to emailed notices and use the reverse policy to add the email action. -- - Justin Azoff From philosnef at yahoo.com Mon Sep 19 04:21:32 2016 From: philosnef at yahoo.com (philosnef) Date: Mon, 19 Sep 2016 11:21:32 +0000 (UTC) Subject: [Bro] Text wrong in survey References: <1083030067.792007.1474284092703.ref@mail.yahoo.com> Message-ID: <1083030067.792007.1474284092703@mail.yahoo.com> See below. Heh. :) Forgot to update the survey! BroCon 2016 Attendee SurveyThank you for participating in the BroCon '15 Attendee Survey. Your response has been recorded. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/2045d4c2/attachment.html From jdopheid at illinois.edu Mon Sep 19 06:58:25 2016 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Mon, 19 Sep 2016 13:58:25 +0000 Subject: [Bro] Text wrong in survey In-Reply-To: <1083030067.792007.1474284092703@mail.yahoo.com> References: <1083030067.792007.1474284092703.ref@mail.yahoo.com> <1083030067.792007.1474284092703@mail.yahoo.com> Message-ID: <7B6B8113-F3BD-43BB-AA4A-D854B3B62505@illinois.edu> Thank you for finding that. It?s been updated. ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign From: on behalf of philosnef Reply-To: philosnef Date: Monday, September 19, 2016 at 6:21 AM To: "bro at bro.org" Subject: [Bro] Text wrong in survey See below. Heh. :) Forgot to update the survey! BroCon 2016 Attendee Survey Thank you for participating in the BroCon '15 Attendee Survey. Your response has been recorded. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/22957590/attachment.html From philosnef at yahoo.com Mon Sep 19 07:31:42 2016 From: philosnef at yahoo.com (philosnef) Date: Mon, 19 Sep 2016 14:31:42 +0000 (UTC) Subject: [Bro] cant clone bro github References: <1992545892.902936.1474295502355.ref@mail.yahoo.com> Message-ID: <1992545892.902936.1474295502355@mail.yahoo.com> I am trying to clone out bro master from github, and I am getting the following usse: error: while accessing https://github,.com/bro/bro/info/refsfatal: HTTP request failed Please advise. :) Using git clone 'hxxps://github.com/bro/bro' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/d04bf4b0/attachment.html From jdopheid at illinois.edu Mon Sep 19 07:51:31 2016 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Mon, 19 Sep 2016 14:51:31 +0000 Subject: [Bro] cant clone bro github In-Reply-To: <1992545892.902936.1474295502355@mail.yahoo.com> References: <1992545892.902936.1474295502355.ref@mail.yahoo.com> <1992545892.902936.1474295502355@mail.yahoo.com> Message-ID: <72D3457A-EAAE-475E-945D-4AF56F48DE69@illinois.edu> Is that URL a typo? I see a comma before the .com in github. ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign From: on behalf of philosnef Reply-To: philosnef Date: Monday, September 19, 2016 at 9:31 AM To: "bro at bro.org" Subject: [Bro] cant clone bro github I am trying to clone out bro master from github, and I am getting the following usse: error: while accessing https://github,.com/bro/bro/info/refs fatal: HTTP request failed Please advise. :) Using git clone 'hxxps://github.com/bro/bro' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/3f85fce2/attachment-0001.html From philosnef at yahoo.com Mon Sep 19 07:53:05 2016 From: philosnef at yahoo.com (philosnef) Date: Mon, 19 Sep 2016 14:53:05 +0000 (UTC) Subject: [Bro] cant clone bro github In-Reply-To: <72D3457A-EAAE-475E-945D-4AF56F48DE69@illinois.edu> References: <1992545892.902936.1474295502355.ref@mail.yahoo.com> <1992545892.902936.1474295502355@mail.yahoo.com> <72D3457A-EAAE-475E-945D-4AF56F48DE69@illinois.edu> Message-ID: <208790831.935002.1474296785747@mail.yahoo.com> Ah yes, typo when I put it in the email. No typo at the command line. Just errors out on /info/refs for some reason. On Monday, September 19, 2016 10:51 AM, "Dopheide, Jeannette M" wrote: #yiv1829714812 #yiv1829714812 -- _filtered #yiv1829714812 {} _filtered #yiv1829714812 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv1829714812 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv1829714812 {font-family:Consolas;panose-1:2 11 6 9 2 2 4 3 2 4;} _filtered #yiv1829714812 {panose-1:2 0 5 3 0 0 0 2 0 4;}#yiv1829714812 #yiv1829714812 p.yiv1829714812MsoNormal, #yiv1829714812 li.yiv1829714812MsoNormal, #yiv1829714812 div.yiv1829714812MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv1829714812 a:link, #yiv1829714812 span.yiv1829714812MsoHyperlink {color:blue;text-decoration:underline;}#yiv1829714812 a:visited, #yiv1829714812 span.yiv1829714812MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv1829714812 span.yiv1829714812EmailStyle17 {font-family:Calibri;color:windowtext;}#yiv1829714812 span.yiv1829714812msoIns {text-decoration:underline;color:teal;}#yiv1829714812 .yiv1829714812MsoChpDefault {font-size:10.0pt;} _filtered #yiv1829714812 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv1829714812 div.yiv1829714812WordSection1 {}#yiv1829714812 Is that URL a typo? I see a comma before the .com in github. ? ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign ? ? From: on behalf of philosnef Reply-To: philosnef Date: Monday, September 19, 2016 at 9:31 AM To: "bro at bro.org" Subject: [Bro] cant clone bro github ? I am trying to clone out bro master from github, and I am getting the following usse: ? error: while accessinghttps://github,.com/bro/bro/info/refs fatal: HTTP request failed ? Please advise. :) Using git clone 'hxxps://github.com/bro/bro' ? ? ? ? ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/8e2f04fd/attachment.html From jazoff at illinois.edu Mon Sep 19 07:55:17 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Mon, 19 Sep 2016 14:55:17 +0000 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: <20160916215007.GM5321@icir.org> References: <20160916215007.GM5321@icir.org> Message-ID: <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> > On Sep 16, 2016, at 5:50 PM, Robin Sommer wrote: > > > I'm wondering if there's anybody who'd be interested in taking over > ownership of the plugin. We are planing to move bro-plugins/* into > separately distributed Bro packages anyways, using the new Bro package > manager. If somebody wanted to take ownership of the plugin that way, > they could just starting maintaining a package for it. An option could > also be turning it into a NSQ-only plugin? > > Robin I was thinking the same thing. I think the issues with the elasticsearch plugin was that bro -> remote ES never worked well in practice and users were better off using something else to get logs into ES. But bro -> local NSQ was rock solid for the people that used it. Also, another thing to keep in mind is that there are only a few lines in the entire plugin that are actually specific to NSQ, with a few strings moved into options it could possibly be turned into a generic http/json log writer. -- - Justin Azoff From philosnef at yahoo.com Mon Sep 19 08:17:03 2016 From: philosnef at yahoo.com (philosnef) Date: Mon, 19 Sep 2016 15:17:03 +0000 (UTC) Subject: [Bro] compile errors with master References: <988189258.914655.1474298223391.ref@mail.yahoo.com> Message-ID: <988189258.914655.1474298223391@mail.yahoo.com> See attached. Ive cut and pasted the last bit of the cmake files as well. The error is associated with: "Can't determine if openssl_d2i_x509() takes const char parameter") Is there a way to disable this? I have openssl-devel installed (RHEL6).cmake error----/usr/bin/c++ ? ?-stdlib=libc++ -I/include/c++/v1 -L/lib ?-Wall -Wno-unused -DOPENSSL_D2I_X509_USES_CHAR -I/opt/src/bro_25_master/direct_dl/bro-2.5-beta/build/aux/binpac/lib -I/opt/src/bro_25_master/direct_dl/bro-2.5-beta/aux/binpac/lib -I/usr/local/include ? ?-o CMakeFiles/cmTryCompileExec3979421985.dir/src.cxx.o -c /opt/src/bro_25_master/direct_dl/bro-2.5-beta/build/CMakeFiles/CMakeTmp/src.cxxcc1plus: error: unrecognized command line option "-stdlib=libc++"gmake[1]: *** [CMakeFiles/cmTryCompileExec3979421985.dir/src.cxx.o] Error 1gmake[1]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta/build/CMakeFiles/CMakeTmp'gmake: *** [cmTryCompileExec3979421985/fast] Error 2 Source file was: ? ? ? ? #include ? ? ? ? int main() {? ? ? ? ? ? unsigned char** cpp = 0;? ? ? ? ? ? X509** x =0;? ? ? ? ? ? d2i_X509(x, cpp, 0);? ? ? ? ? ? return 0;? ? ? ? }--- cmake output---Run Build Command:/usr/bin/gmake "cmTryCompileExec3395688437/fast"/usr/bin/gmake -f CMakeFiles/cmTryCompileExec3395688437.dir/build.make CMakeFiles/cmTryCompileExec3395688437.dir/buildgmake[1]: Entering directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta/build/CMakeFiles/CMakeTmp'/usr/bin/cmake -E cmake_progress_report /opt/src/bro_25_master/direct_dl/bro-2.5-beta/build/CMakeFiles/CMakeTmp/CMakeFiles 1Building C object CMakeFiles/cmTryCompileExec3395688437.dir/src.c.o/usr/bin/cc ? -Wall -Wno-unused -Dopenssl_greater_than_0_9_7 -I/opt/src/bro_25_master/direct_dl/bro-2.5-beta/build/aux/binpac/lib -I/opt/src/bro_25_master/direct_dl/bro-2.5-beta/aux/binpac/lib -I/usr/local/include ? ?-o CMakeFiles/cmTryCompileExec3395688437.dir/src.c.o ? -c /opt/src/bro_25_master/direct_dl/bro-2.5-beta/build/CMakeFiles/CMakeTmp/src.cLinking C executable cmTryCompileExec3395688437/usr/bin/cmake -E cmake_link_script CMakeFiles/cmTryCompileExec3395688437.dir/link.txt --verbose=1/usr/bin/cc ? -Wall -Wno-unused -Dopenssl_greater_than_0_9_7 ? -pthread CMakeFiles/cmTryCompileExec3395688437.dir/src.c.o ?-o cmTryCompileExec3395688437 -rdynamic -lssl -lcrypto?gmake[1]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta/build/CMakeFiles/CMakeTmp' Source file was: ? ? #include ? ? int main() {? ? ? ? OPENSSL_add_all_algorithms_conf();? ? ? ? return 0;? ? }--- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/6c28374d/attachment.html From daniel.guerra69 at gmail.com Mon Sep 19 08:52:11 2016 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Mon, 19 Sep 2016 17:52:11 +0200 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> References: <20160916215007.GM5321@icir.org> <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> Message-ID: I love kibana as a frontend and elasticsearch. In 2.4.1 it worked fine with proportional elastic power and nginx. When elastic is underpowered for the speed you are creating logs its obvious to have problems (timeout) The efficiency of elasticsearch is not so well? java. I think its better to focus on kafka and use an elastic river. This is how graylog works and that goes pretty well. It would be handy to have an unique-name/type combination, it doesn?t matter in what kind of log. (ssh.log version, string http.log version,integer) Every collision in this causes lots of logging in elastic. A script sanity check would be great for this. Maybe elastic wants to be owner of this plugin ? Splunk also provides a bro plugin + config. Daniel Guerra > On 19 Sep 2016, at 16:55, Azoff, Justin S wrote: > > >> On Sep 16, 2016, at 5:50 PM, Robin Sommer wrote: >> >> >> I'm wondering if there's anybody who'd be interested in taking over >> ownership of the plugin. We are planing to move bro-plugins/* into >> separately distributed Bro packages anyways, using the new Bro package >> manager. If somebody wanted to take ownership of the plugin that way, >> they could just starting maintaining a package for it. An option could >> also be turning it into a NSQ-only plugin? >> >> Robin > > I was thinking the same thing. > > I think the issues with the elasticsearch plugin was that bro -> remote ES never worked well in practice and users were better off using something else to get logs into ES. > > But bro -> local NSQ was rock solid for the people that used it. > > Also, another thing to keep in mind is that there are only a few lines in the entire plugin that are actually specific to NSQ, with a few strings moved into options it could possibly be turned into a generic http/json log writer. > > > -- > - Justin Azoff > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From vladg at illinois.edu Mon Sep 19 08:59:53 2016 From: vladg at illinois.edu (Vlad Grigorescu) Date: Mon, 19 Sep 2016 10:59:53 -0500 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> References: <20160916215007.GM5321@icir.org> <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> Message-ID: I can try to summarize the current status of the plugin, to give this discussion some additional context: * A large stream of log output to NSQ is working. I was pushing about 1 billion log lines/day for months with no issues. * ElasticSearch output stopped working with ElasticSearch version 2.0, since they changed the delimiter rules. However, this should be fixable with the change Seth introduced for 2.5 (and perhaps we should update that to be the default?) * A medium to large stream of log output to ElasticSearch requires a lot of tuning and I think is still problematic. I think memory slowly creeps up in most cases (ElasticSearch starts garbage-collecting, and stops responding for a while). I haven't done work with ElasticSearch 2.0 to see how that affects this. Perhaps splitting out the logger node will help with this? I'm not sure. * I think that the main issue that Seth was referencing is that the log writer doesn't check the response code from NSQ or ElasticSearch. If the server responds with a 500 or other error code, it might make sense to retry sending the messages a couple of times? Right now, they just get dropped, so this can be a lossy log writer. So, I'm a bit hesitant to deprecate this, since I think it still works for NSQ, and it still works (in some cases) for ElasticSearch. Ironically, it works better for ElasticSearch in 2.5 than it would for 2.4.1, since the delimiter configuration option was introduced. That being said, I'm also hesitant to take this on myself, simply because we don't have an ElasticSearch cluster at NCSA. I think it makes sense to generalize this as an HTTP/JSON log writer, but we still need to tackle the question of what we do with messages that fail to be delivered. Generalizing it might be a bit tricky. For example, ElasticSearch needs to post to http://1.2.3.4:9000/$log_name, while NSQ needs to add a line containing the log_name before each log line. --Vlad "Azoff, Justin S" writes: >> On Sep 16, 2016, at 5:50 PM, Robin Sommer wrote: >> >> >> I'm wondering if there's anybody who'd be interested in taking over >> ownership of the plugin. We are planing to move bro-plugins/* into >> separately distributed Bro packages anyways, using the new Bro package >> manager. If somebody wanted to take ownership of the plugin that way, >> they could just starting maintaining a package for it. An option could >> also be turning it into a NSQ-only plugin? >> >> Robin > > I was thinking the same thing. > > I think the issues with the elasticsearch plugin was that bro -> remote ES never worked well in practice and users were better off using something else to get logs into ES. > > But bro -> local NSQ was rock solid for the people that used it. > > Also, another thing to keep in mind is that there are only a few lines in the entire plugin that are actually specific to NSQ, with a few strings moved into options it could possibly be turned into a generic http/json log writer. > > > -- > - Justin Azoff > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 800 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/d29c0491/attachment.bin From jazoff at illinois.edu Mon Sep 19 09:15:40 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Mon, 19 Sep 2016 16:15:40 +0000 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: References: <20160916215007.GM5321@icir.org> <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> Message-ID: <26F0D80F-680B-4128-8C20-4F1FF6A6BDB6@illinois.edu> > On Sep 19, 2016, at 11:59 AM, Vlad Grigorescu wrote: > > Generalizing it might be a bit tricky. For example, ElasticSearch needs > to post to http://1.2.3.4:9000/$log_name, while NSQ needs to add a > line containing the log_name before each log line. That wasn't really NSQ that required that, it was whatever was pulling the records out of NSQ and pushing them into ES that wanted that. I think the new logging ext stuff that was added for kafka would make that extra record redundant now. -- - Justin Azoff From matiasdavaro at gmail.com Mon Sep 19 12:31:59 2016 From: matiasdavaro at gmail.com (Matias Davaro) Date: Mon, 19 Sep 2016 15:31:59 -0400 Subject: [Bro] bro scripting issue Message-ID: Hello, I am trying to learn bro programming language and as an exercise, was attempting to convert this cli one liner, bro-cut id.orig_h id.resp_h method host referrer < http.log | awk '$3 ~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}' | sort -u into the following code: module HTTP; export { const http_resp_whitelist = set("otf.msn.com", "www.bing.com"); } event http_header(c: connection, is_orig: bool, name:string, value:string) { if (c$http$method == "POST" && c$http?$referrer == F && name == "HOST" && c$http$host ! in http_resp_whitelist) { print fmt("%s, %s", c$id$resp_h, c$http$host); } } my objective is to print http posts with no referrers and have a whitelist that includes search engines and other sites i'll add later. Though it works for the one pcap I originally wrote it for, it does not work for other ones, still printing http posts whether they have a referrer or not. is name = "HOST" necessary? When I remove it, it gives me the field value missing error. If anyone could point me in the right direction, it would be appreciated. Again, any critiques or recommendations would be appreciated. Thank you. Matias -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/f08d16ce/attachment.html From anthony.kasza at gmail.com Mon Sep 19 12:59:49 2016 From: anthony.kasza at gmail.com (anthony kasza) Date: Mon, 19 Sep 2016 15:59:49 -0400 Subject: [Bro] bro scripting issue In-Reply-To: References: Message-ID: Have you tried putting the referer field existence check in its own if statement before you check the values of anything else? -AK On Sep 19, 2016 3:40 PM, "Matias Davaro" wrote: Hello, I am trying to learn bro programming language and as an exercise, was attempting to convert this cli one liner, bro-cut id.orig_h id.resp_h method host referrer < http.log | awk '$3 ~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}' | sort -u into the following code: module HTTP; export { const http_resp_whitelist = set("otf.msn.com", "www.bing.com"); } event http_header(c: connection, is_orig: bool, name:string, value:string) { if (c$http$method == "POST" && c$http?$referrer == F && name == "HOST" && c$http$host ! in http_resp_whitelist) { print fmt("%s, %s", c$id$resp_h, c$http$host); } } my objective is to print http posts with no referrers and have a whitelist that includes search engines and other sites i'll add later. Though it works for the one pcap I originally wrote it for, it does not work for other ones, still printing http posts whether they have a referrer or not. is name = "HOST" necessary? When I remove it, it gives me the field value missing error. If anyone could point me in the right direction, it would be appreciated. Again, any critiques or recommendations would be appreciated. Thank you. Matias _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/c16966f7/attachment.html From dopheide at gmail.com Mon Sep 19 13:17:08 2016 From: dopheide at gmail.com (Mike Dopheide) Date: Mon, 19 Sep 2016 15:17:08 -0500 Subject: [Bro] bro scripting issue In-Reply-To: References: Message-ID: I believe the problem here is that the 'http_header' event is called for every http header. Depending on when "referrer" gets processed, c$http?$referrer may very well not exist for the connection yet. You may want to use http_all_headers instead. -Dop On Mon, Sep 19, 2016 at 2:31 PM, Matias Davaro wrote: > Hello, > > I am trying to learn bro programming language and as an exercise, was > attempting to convert this cli one liner, > > bro-cut id.orig_h id.resp_h method host referrer < http.log | awk '$3 > ~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}' | sort -u > > into the following code: > > module HTTP; > > export { > > const http_resp_whitelist = set("otf.msn.com", "www.bing.com"); > > } > > event http_header(c: connection, is_orig: bool, name:string, value:string) > { > if (c$http$method == "POST" && c$http?$referrer == F && name == "HOST" > && c$http$host ! in http_resp_whitelist) { > print fmt("%s, %s", c$id$resp_h, c$http$host); > > } > } > > my objective is to print http posts with no referrers and have a whitelist > that includes search engines and other sites i'll add later. Though it > works for the one pcap I originally wrote it for, it does not work for > other ones, still printing http posts whether they have a referrer or not. > is name = "HOST" necessary? When I remove it, it gives me the field value > missing error. If anyone could point me in the right direction, it would be > appreciated. Again, any critiques or recommendations would be appreciated. > Thank you. > > > Matias > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/2848252b/attachment.html From dnj0496 at gmail.com Mon Sep 19 17:53:04 2016 From: dnj0496 at gmail.com (Dk Jack) Date: Mon, 19 Sep 2016 17:53:04 -0700 Subject: [Bro] expire entries Message-ID: Hi, In my plugin, I am maintaining a cache of data that needs to be expired on a periodic basis. I see that there are a couple of classes that could be useful...i.e. the Timer and TimerMgr classes. However, I am not sure how they work. Would appreciate it if someone can point me to some documentation on how to use them. Thanks. Dk. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/2369b65f/attachment.html From philosnef at yahoo.com Tue Sep 20 04:55:53 2016 From: philosnef at yahoo.com (philosnef) Date: Tue, 20 Sep 2016 11:55:53 +0000 (UTC) Subject: [Bro] problems compiling bro 25 master on centos 6 References: <2077914991.1502439.1474372553218.ref@mail.yahoo.com> Message-ID: <2077914991.1502439.1474372553218@mail.yahoo.com> See the following cmake error. I have run --disable-auxtools and --disable-broccoli. Not exact sure where this is breaking. ---/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:57:14: error:?? ? ? rvalue reference to type 'typename std::remove_reference::type' (aka 'BuiltinFuncArg *') cannot bind to lvalue of type? ? ? 'BuiltinFuncArg *'? ? { return __t; }? ? ? ? ? ? ?^~~/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:27: note:?? ? ? in instantiation of function template specialization? ? ? 'std::move' requested here? ? ? { emplace_back(std::move(__x)); }? ? ? ? ? ? ? ? ? ? ? ? ? ^builtin-func.y:611:12: note: in instantiation of member function? ? ? 'std::vector? ? ? >::push_back' requested here? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(...? ? ? ? ? ?^In file included from builtin-func.y:2:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:69:/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:96:9: error:?? ? ? no matching function for call to 'forward'? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? std::forward<_Args>(__args)...);? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^~~~~~~~~~~~~~~~~~~/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:9: note:?? ? ? in instantiation of function template specialization? ? ? 'std::vector? ? ? >::emplace_back' requested here? ? ? { emplace_back(std::move(__x)); }? ? ? ? ^builtin-func.y:611:12: note: in instantiation of member function? ? ? 'std::vector? ? ? >::push_back' requested here? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(...? ? ? ? ? ?^/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:51:5: note:?? ? ? candidate function [with _Tp = BuiltinFuncArg *] not viable: no known? ? ? conversion from 'BuiltinFuncArg *' to 'typename? ? ? std::identity::type &&' (aka 'BuiltinFuncArg *&&') for? ? ? 1st argument? ? forward(typename std::identity<_Tp>::type&& __t)? ? ^2 errors generated.make[3]: *** [src/CMakeFiles/bifcl.dir/bif_parse.cc.o] Error 1make[3]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build'make[2]: *** [src/CMakeFiles/bifcl.dir/all] Error 2make[2]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build'make[1]: *** [all] Error 2make[1]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build'make: *** [all] Error 2--- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160920/d7d842e8/attachment-0001.html From robin at icir.org Tue Sep 20 08:36:08 2016 From: robin at icir.org (Robin Sommer) Date: Tue, 20 Sep 2016 08:36:08 -0700 Subject: [Bro] expire entries In-Reply-To: References: Message-ID: <20160920153608.GE82827@icir.org> On Mon, Sep 19, 2016 at 17:53 -0700, Dk Jack wrote: > I see that there are a couple of classes that could be useful...i.e. > the Timer and TimerMgr classes. However, I am not sure how they work. Generally you need to derive your own timer class from Timer and override the Dispatch() method. Then create an instance of your new class and call timer_mgr->Add(instance). There are a few examples across the code base, look for instance at the FileTimer in src/file_analysis/FileTimer.h and how it is used in File::ScheduleInactivityTimer() in src/file_analysis/File.cc One note: You don't mention what type of plugin you are writing. If you're adding a component that runs inside its own thread (log writer, input reader), you cannot use the built-in timer machinery, as it's not thread-safe. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From andrew_duba at wustl.edu Tue Sep 20 09:37:20 2016 From: andrew_duba at wustl.edu (Duba, Andrew) Date: Tue, 20 Sep 2016 16:37:20 +0000 Subject: [Bro] Scripting question concerning web brute force attacks Message-ID: Back from Brocon and am stoked about writing my first script! So I'm interested in detecting multiple visits to login pages for common content managers (wordpress, joomla, drupal, etc) in order to spot potential password guessing attacks. I took a look at some bro samples came up with the code that is below. I planned on using a http_request event handler to check for requests to login pages and increment a counter. Question is how do I this by the origin and destination ip addresses (I.e. If xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy both attempt to login to the server zzz.zzz.zzz.zzz how do I prevent xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy from being counted by the same counter?) P.S. Sorry in advance if this is the wrong forum to ask for coding advice. @load base/protocols/http @load base/protocols/ssl module HTTP; export { redef enum Notice::Type += { Drupal_Password_Attack, Joomla_Password_Attack, Wordpress_Password_Attack }; . . . event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &priority=5) { if(/wp-login\.php/ in original_URI) { ## TODO: If we get here increment a counter of visits for this particular ip address } } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160920/f0554615/attachment.html From anthony.kasza at gmail.com Tue Sep 20 09:53:00 2016 From: anthony.kasza at gmail.com (anthony kasza) Date: Tue, 20 Sep 2016 12:53:00 -0400 Subject: [Bro] Scripting question concerning web brute force attacks In-Reply-To: References: Message-ID: You could create a global table indexed by orig IP with a type of count. Then increment each IP's count within an HTTP event. You'll also likely want to include an expiration timer on the table's entries. Feel free to ask more questions! -AK On Sep 20, 2016 12:40 PM, "Duba, Andrew" wrote: > Back from Brocon and am stoked about writing my first script! So I?m > interested in detecting multiple visits to login pages for common content > managers (wordpress, joomla, drupal, etc) in order to spot potential > password guessing attacks. I took a look at some bro samples came up with > the code that is below. I planned on using a http_request event handler to > check for requests to login pages and increment a counter. Question is how > do I this by the origin and destination ip addresses (I.e. If > xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy both attempt to login to the server > zzz.zzz.zzz.zzz how do I prevent xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy from > being counted by the same counter?) > > P.S. Sorry in advance if this is the wrong forum to ask for coding advice. > > @load base/protocols/http > @load base/protocols/ssl > > module HTTP; > > export { > redef enum Notice::Type += { > Drupal_Password_Attack, > Joomla_Password_Attack, > Wordpress_Password_Attack > }; > . > . > . > event http_request(c: connection, method: string, original_URI: string, > unescaped_URI: string, version: string) &priority=5) > { > if(/wp-login\.php/ in original_URI) > { > ## TODO: If we get here increment a counter of visits for this particular > ip address > > } > > } > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160920/fb4c047d/attachment.html From jlay at slave-tothe-box.net Tue Sep 20 10:01:07 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 20 Sep 2016 11:01:07 -0600 Subject: [Bro] Bro and nDPI integration Message-ID: Hey All, So I see that this question was posed a couple years ago without much traction. I wondered if anyone has looked into this? Haven't found much online and this is something I would like to do. Thank you for any assistance. James From jazoff at illinois.edu Tue Sep 20 10:26:36 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Tue, 20 Sep 2016 17:26:36 +0000 Subject: [Bro] Scripting question concerning web brute force attacks In-Reply-To: References: Message-ID: > On Sep 20, 2016, at 12:37 PM, Duba, Andrew wrote: > > Back from Brocon and am stoked about writing my first script! So I?m interested in detecting multiple visits to login pages for common content managers (wordpress, joomla, drupal, etc) in order to spot potential password guessing attacks. I took a look at some bro samples came up with the code that is below. I planned on using a http_request event handler to check for requests to login pages and increment a counter. Question is how do I this by the origin and destination ip addresses (I.e. If xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy both attempt to login to the server zzz.zzz.zzz.zzz how do I prevent xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy from being counted by the same counter?) > > P.S. Sorry in advance if this is the wrong forum to ask for coding advice. I would take a look at scripts/policy/protocols/http/detect-sqli.bro it's a bit verbose but does basically the same thing you are looking for (it's 2x as big though because it tracks attackers and victims separately, so you'd still notice a distributed attack against a single victim) -- - Justin Azoff From seth at icir.org Wed Sep 21 07:53:51 2016 From: seth at icir.org (Seth Hall) Date: Wed, 21 Sep 2016 10:53:51 -0400 Subject: [Bro] Bro and nDPI integration In-Reply-To: References: Message-ID: <562D6391-08FB-4AE5-8BCE-6E4BB3C65C0E@icir.org> > On Sep 20, 2016, at 1:01 PM, James Lay wrote: > > So I see that this question was posed a couple years ago without much > traction. I wondered if anyone has looked into this? Haven't found > much online and this is something I would like to do. Thank you for any > assistance. Something similar to nDPI can be done with a script package I released quietly through Broala (which will be moving over to our Corelight account eventually and integrated into the Bro Package Manager) a while ago. We don't have a ton of signatures in there yet, but it shows the infrastructure necessary to do basically the same detection that nDPI is doing. https://github.com/broala/bro-protosigs .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Sep 21 07:56:08 2016 From: seth at icir.org (Seth Hall) Date: Wed, 21 Sep 2016 10:56:08 -0400 Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: <2077914991.1502439.1474372553218@mail.yahoo.com> References: <2077914991.1502439.1474372553218.ref@mail.yahoo.com> <2077914991.1502439.1474372553218@mail.yahoo.com> Message-ID: <9032F049-4BC1-44EE-A54A-2A6C146ABED1@icir.org> Is this on RedHat or CentOS 6.x? I'm not sure if anyone has tried building on those. .Seth > On Sep 20, 2016, at 7:55 AM, philosnef wrote: > > See the following cmake error. I have run --disable-auxtools and --disable-broccoli. Not exact sure where this is breaking. > > --- > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:57:14: error: > rvalue reference to type 'typename std::remove_reference *&>::type' (aka 'BuiltinFuncArg *') cannot bind to lvalue of type > 'BuiltinFuncArg *' > { return __t; } > ^~~ > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:27: note: > in instantiation of function template specialization > 'std::move' requested here > { emplace_back(std::move(__x)); } > ^ > builtin-func.y:611:12: note: in instantiation of member function > 'std::vector > >::push_back' requested here > { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(... > ^ > In file included from builtin-func.y:2: > In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:69: > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:96:9: error: > no matching function for call to 'forward' > std::forward<_Args>(__args)...); > ^~~~~~~~~~~~~~~~~~~ > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:9: note: > in instantiation of function template specialization > 'std::vector > >::emplace_back' requested here > { emplace_back(std::move(__x)); } > ^ > builtin-func.y:611:12: note: in instantiation of member function > 'std::vector > >::push_back' requested here > { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(... > ^ > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:51:5: note: > candidate function [with _Tp = BuiltinFuncArg *] not viable: no known > conversion from 'BuiltinFuncArg *' to 'typename > std::identity::type &&' (aka 'BuiltinFuncArg *&&') for > 1st argument > forward(typename std::identity<_Tp>::type&& __t) > ^ > 2 errors generated. > make[3]: *** [src/CMakeFiles/bifcl.dir/bif_parse.cc.o] Error 1 > make[3]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > make[2]: *** [src/CMakeFiles/bifcl.dir/all] Error 2 > make[2]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > make: *** [all] Error 2 > --- > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jlay at slave-tothe-box.net Wed Sep 21 07:58:13 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 21 Sep 2016 08:58:13 -0600 Subject: [Bro] Bro and nDPI integration In-Reply-To: <562D6391-08FB-4AE5-8BCE-6E4BB3C65C0E@icir.org> References: <562D6391-08FB-4AE5-8BCE-6E4BB3C65C0E@icir.org> Message-ID: On 2016-09-21 08:53, Seth Hall wrote: >> On Sep 20, 2016, at 1:01 PM, James Lay >> wrote: >> >> So I see that this question was posed a couple years ago without much >> traction. I wondered if anyone has looked into this? Haven't found >> much online and this is something I would like to do. Thank you for >> any >> assistance. > > Something similar to nDPI can be done with a script package I released > quietly through Broala (which will be moving over to our Corelight > account eventually and integrated into the Bro Package Manager) a > while ago. We don't have a ton of signatures in there yet, but it > shows the infrastructure necessary to do basically the same detection > that nDPI is doing. > > https://github.com/broala/bro-protosigs > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ Sweet...gonna git pull in a few and let you know how it runs. Thanks Seth! James From seth at icir.org Wed Sep 21 08:06:42 2016 From: seth at icir.org (Seth Hall) Date: Wed, 21 Sep 2016 11:06:42 -0400 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: <26F0D80F-680B-4128-8C20-4F1FF6A6BDB6@illinois.edu> References: <20160916215007.GM5321@icir.org> <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> <26F0D80F-680B-4128-8C20-4F1FF6A6BDB6@illinois.edu> Message-ID: > On Sep 19, 2016, at 12:15 PM, Azoff, Justin S wrote: > > That wasn't really NSQ that required that, it was whatever was pulling the records out of NSQ and pushing them into ES that wanted that. > > I think the new logging ext stuff that was added for kafka would make that extra record redundant now. You're right, that could be skipped, but you run into the issue of having only a single queue which could cause trouble if one log type is overwhelming everything else. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jazoff at illinois.edu Wed Sep 21 08:18:09 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Wed, 21 Sep 2016 15:18:09 +0000 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: References: <20160916215007.GM5321@icir.org> <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> <26F0D80F-680B-4128-8C20-4F1FF6A6BDB6@illinois.edu> Message-ID: <04158025-D801-4206-B34A-B1FEB0C3BD46@illinois.edu> > On Sep 21, 2016, at 11:06 AM, Seth Hall wrote: > > >> On Sep 19, 2016, at 12:15 PM, Azoff, Justin S wrote: >> >> That wasn't really NSQ that required that, it was whatever was pulling the records out of NSQ and pushing them into ES that wanted that. >> >> I think the new logging ext stuff that was added for kafka would make that extra record redundant now. > > You're right, that could be skipped, but you run into the issue of having only a single queue which could cause trouble if one log type is overwhelming everything else. For NSQ the destination queue is part the url that is POSTed to and can still be per log stream. The plugin currently sends it all to one queue, but it could work the same as the kafka plugin does with one queue per log stream. -- - Justin Azoff From philosnef at yahoo.com Wed Sep 21 08:28:03 2016 From: philosnef at yahoo.com (philosnef) Date: Wed, 21 Sep 2016 15:28:03 +0000 (UTC) Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: <9032F049-4BC1-44EE-A54A-2A6C146ABED1@icir.org> References: <2077914991.1502439.1474372553218.ref@mail.yahoo.com> <2077914991.1502439.1474372553218@mail.yahoo.com> <9032F049-4BC1-44EE-A54A-2A6C146ABED1@icir.org> Message-ID: <143771333.2355637.1474471683836@mail.yahoo.com> RHEL 6.7. I had to pull clang34 from EPEL, since 6.7 only supports g++ 4.4 and not 4.8. It always errors out at bif_parse.cc.o, 5% into the build. Here is the error:----[ ?5%] Building CXX object src/CMakeFiles/bifcl.dir/bif_parse.cc.oIn file included from builtin-func.y:2:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:61:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_algobase.h:66:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_pair.h:60:/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:57:14: error:?? ? ? rvalue reference to type 'typename std::remove_reference::type' (aka 'BuiltinFuncArg *') cannot bind to lvalue of type? ? ? 'BuiltinFuncArg *'? ? { return __t; }? ? ? ? ? ? ?^~~/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:27: note:?? ? ? in instantiation of function template specialization? ? ? 'std::move' requested here? ? ? { emplace_back(std::move(__x)); }? ? ? ? ? ? ? ? ? ? ? ? ? ^builtin-func.y:611:12: note: in instantiation of member function? ? ? 'std::vector? ? ? >::push_back' requested here? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(...? ? ? ? ? ?^In file included from builtin-func.y:2:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:69:/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:96:9: error:?? ? ? no matching function for call to 'forward'? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? std::forward<_Args>(__args)...);? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^~~~~~~~~~~~~~~~~~~/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:9: note:?? ? ? in instantiation of function template specialization? ? ? 'std::vector? ? ? >::emplace_back' requested here? ? ? { emplace_back(std::move(__x)); }? ? ? ? ^builtin-func.y:611:12: note: in instantiation of member function? ? ? 'std::vector? ? ? >::push_back' requested here? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(...? ? ? ? ? ?^/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:51:5: note:?? ? ? candidate function [with _Tp = BuiltinFuncArg *] not viable: no known? ? ? conversion from 'BuiltinFuncArg *' to 'typename? ? ? std::identity::type &&' (aka 'BuiltinFuncArg *&&') for? ? ? 1st argument? ? forward(typename std::identity<_Tp>::type&& __t)? ? ^2 errors generated. Thanks for peeping into this! On Wednesday, September 21, 2016 10:56 AM, Seth Hall wrote: Is this on RedHat or CentOS 6.x?? I'm not sure if anyone has tried building on those. ? .Seth > On Sep 20, 2016, at 7:55 AM, philosnef wrote: > > See the following cmake error. I have run --disable-auxtools and --disable-broccoli. Not exact sure where this is breaking. > > --- > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:57:14: error: >? ? ? rvalue reference to type 'typename std::remove_reference? ? ? *&>::type' (aka 'BuiltinFuncArg *') cannot bind to lvalue of type >? ? ? 'BuiltinFuncArg *' >? ? { return __t; } >? ? ? ? ? ? ? ^~~ > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:27: note: >? ? ? in instantiation of function template specialization >? ? ? 'std::move' requested here >? ? ? { emplace_back(std::move(__x)); } >? ? ? ? ? ? ? ? ? ? ? ? ? ^ > builtin-func.y:611:12: note: in instantiation of member function >? ? ? 'std::vector >? ? ? >::push_back' requested here >? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(... >? ? ? ? ? ? ^ > In file included from builtin-func.y:2: > In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:69: > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:96:9: error: >? ? ? no matching function for call to 'forward' >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? std::forward<_Args>(__args)...); >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^~~~~~~~~~~~~~~~~~~ > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:9: note: >? ? ? in instantiation of function template specialization >? ? ? 'std::vector >? ? ? >::emplace_back' requested here >? ? ? { emplace_back(std::move(__x)); } >? ? ? ? ^ > builtin-func.y:611:12: note: in instantiation of member function >? ? ? 'std::vector >? ? ? >::push_back' requested here >? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(... >? ? ? ? ? ? ^ > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:51:5: note: >? ? ? candidate function [with _Tp = BuiltinFuncArg *] not viable: no known >? ? ? conversion from 'BuiltinFuncArg *' to 'typename >? ? ? std::identity::type &&' (aka 'BuiltinFuncArg *&&') for >? ? ? 1st argument >? ? forward(typename std::identity<_Tp>::type&& __t) >? ? ^ > 2 errors generated. > make[3]: *** [src/CMakeFiles/bifcl.dir/bif_parse.cc.o] Error 1 > make[3]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > make[2]: *** [src/CMakeFiles/bifcl.dir/all] Error 2 > make[2]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > make: *** [all] Error 2 > --- > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160921/70a8a7fc/attachment-0001.html From jdopheid at illinois.edu Wed Sep 21 12:36:43 2016 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Wed, 21 Sep 2016 19:36:43 +0000 Subject: [Bro] BroCon slides and videos coming soon Message-ID: <1783D2CA-CA43-4216-B6E8-B3F8F8964614@illinois.edu> Bro Community, A few people have been asking when the BroCon slides and videos will be posted. We need to do some post-production and other work before this is done. A rough estimate, barring unforeseen interruptions is one month. When they are ready we?ll communicate it on our mailing list and social media outlets. Thanks for your patience. ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign From johanna at icir.org Wed Sep 21 12:47:08 2016 From: johanna at icir.org (Johanna Amann) Date: Wed, 21 Sep 2016 12:47:08 -0700 Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: <143771333.2355637.1474471683836@mail.yahoo.com> References: <2077914991.1502439.1474372553218.ref@mail.yahoo.com> <2077914991.1502439.1474372553218@mail.yahoo.com> <9032F049-4BC1-44EE-A54A-2A6C146ABED1@icir.org> <143771333.2355637.1474471683836@mail.yahoo.com> Message-ID: <20160921194708.GA4440@wifi119.sys.ICSI.Berkeley.EDU> >From looking at the include output, it seems like your compiler uses the wrong include files; the include directory uses the c++ includes of g++ 4.4.7, which is below the cutoff and will not work. So - the compiler include paths got messed up in some way - I assume that this is a problem of your installation, not of Bro itself. I hope that this might help a little bit :) Johanna On Wed, Sep 21, 2016 at 03:28:03PM +0000, philosnef wrote: > RHEL 6.7. I had to pull clang34 from EPEL, since 6.7 only supports g++ 4.4 and not 4.8. It always errors out at bif_parse.cc.o, 5% into the build. Here is the error:----[ ?5%] Building CXX object src/CMakeFiles/bifcl.dir/bif_parse.cc.oIn file included from builtin-func.y:2:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:61:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_algobase.h:66:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_pair.h:60:/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:57:14: error:?? ? ? rvalue reference to type 'typename std::remove_reference::type' (aka 'BuiltinFuncArg *') cannot bind to lvalue of type? ? ? 'BuiltinFuncArg *'? ? { return __t; }? ? ? ? ? ? ?^~~/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:27: note:?? ? ? in instantiation of function template specialization? ? ? 'std::move' requested here? ? ? { emplace_back(std::move(__x)); }? ? ? ? ? ? ? ? ? ? ? ? ? ^builtin-func.y:611:12: note: in instantiation of member function? ? ? 'std::vector? ? ? >::push_back' requested here? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(...? ? ? ? ? ?^In file included from builtin-func.y:2:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:69:/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:96:9: error:?? ? ? no matching function for call to 'forward'? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? std::forward<_Args>(__args)...);? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^~~~~~~~~~~~~~~~~~~/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:9: note:?? ? ? in instantiation of function template specialization? ? ? 'std::vector? ? ? >::emplace_back' requested here? ? ? { emplace_back(std::move(__x)); }? ? ? ? ^builtin-func.y:611:12: note: in instantiation of member function? ? ? 'std::vector? ? ? >::push_back' requested here? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(...? ? ? ? ? ?^/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:51:5: note:?? ? ? candidate function [with _Tp = BuiltinFuncArg *] not viable: no known? ? ? conversion from 'BuiltinFuncArg *' to 'typename? ? ? std::identity::type &&' (aka 'BuiltinFuncArg *&&') for? ? ? 1st argument? ? forward(typename std::identity<_Tp>::type&& __t)? ? ^2 errors generated. > > Thanks for peeping into this! > > On Wednesday, September 21, 2016 10:56 AM, Seth Hall wrote: > > > Is this on RedHat or CentOS 6.x?? I'm not sure if anyone has tried building on those. > > ? .Seth > > > > On Sep 20, 2016, at 7:55 AM, philosnef wrote: > > > > See the following cmake error. I have run --disable-auxtools and --disable-broccoli. Not exact sure where this is breaking. > > > > --- > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:57:14: error: > >? ? ? rvalue reference to type 'typename std::remove_reference >? ? ? *&>::type' (aka 'BuiltinFuncArg *') cannot bind to lvalue of type > >? ? ? 'BuiltinFuncArg *' > >? ? { return __t; } > >? ? ? ? ? ? ? ^~~ > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:27: note: > >? ? ? in instantiation of function template specialization > >? ? ? 'std::move' requested here > >? ? ? { emplace_back(std::move(__x)); } > >? ? ? ? ? ? ? ? ? ? ? ? ? ^ > > builtin-func.y:611:12: note: in instantiation of member function > >? ? ? 'std::vector > >? ? ? >::push_back' requested here > >? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(... > >? ? ? ? ? ? ^ > > In file included from builtin-func.y:2: > > In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:69: > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:96:9: error: > >? ? ? no matching function for call to 'forward' > >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? std::forward<_Args>(__args)...); > >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^~~~~~~~~~~~~~~~~~~ > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:9: note: > >? ? ? in instantiation of function template specialization > >? ? ? 'std::vector > >? ? ? >::emplace_back' requested here > >? ? ? { emplace_back(std::move(__x)); } > >? ? ? ? ^ > > builtin-func.y:611:12: note: in instantiation of member function > >? ? ? 'std::vector > >? ? ? >::push_back' requested here > >? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(... > >? ? ? ? ? ? ^ > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:51:5: note: > >? ? ? candidate function [with _Tp = BuiltinFuncArg *] not viable: no known > >? ? ? conversion from 'BuiltinFuncArg *' to 'typename > >? ? ? std::identity::type &&' (aka 'BuiltinFuncArg *&&') for > >? ? ? 1st argument > >? ? forward(typename std::identity<_Tp>::type&& __t) > >? ? ^ > > 2 errors generated. > > make[3]: *** [src/CMakeFiles/bifcl.dir/bif_parse.cc.o] Error 1 > > make[3]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > > make[2]: *** [src/CMakeFiles/bifcl.dir/all] Error 2 > > make[2]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > > make[1]: *** [all] Error 2 > > make[1]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > > make: *** [all] Error 2 > > --- > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From philosnef at yahoo.com Wed Sep 21 13:23:53 2016 From: philosnef at yahoo.com (philosnef) Date: Wed, 21 Sep 2016 20:23:53 +0000 (UTC) Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: <20160921194708.GA4440@wifi119.sys.ICSI.Berkeley.EDU> References: <2077914991.1502439.1474372553218.ref@mail.yahoo.com> <2077914991.1502439.1474372553218@mail.yahoo.com> <9032F049-4BC1-44EE-A54A-2A6C146ABED1@icir.org> <143771333.2355637.1474471683836@mail.yahoo.com> <20160921194708.GA4440@wifi119.sys.ICSI.Berkeley.EDU> Message-ID: <1977869443.2563266.1474489433480@mail.yahoo.com> Hm, excellent point. I did not see that. I am compiling against libstdc++.so. However, I have clang34 and clang34++ installed. Any idea how to force clang34 to not use gcc4.4 libraries? On Wednesday, September 21, 2016 3:47 PM, Johanna Amann wrote: From looking at the include output, it seems like your compiler uses the wrong include files; the include directory uses the c++ includes of g++ 4.4.7, which is below the cutoff and will not work. So - the compiler include paths got messed up in some way - I assume that this is a problem of your installation, not of Bro itself. I hope that this? might help a little bit :) Johanna On Wed, Sep 21, 2016 at 03:28:03PM +0000, philosnef wrote: > RHEL 6.7. I had to pull clang34 from EPEL, since 6.7 only supports g++ 4.4 and not 4.8. It always errors out at bif_parse.cc.o, 5% into the build. Here is the error:----[ ?5%] Building CXX object src/CMakeFiles/bifcl.dir/bif_parse.cc.oIn file included from builtin-func.y:2:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:61:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_algobase.h:66:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_pair.h:60:/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:57:14: error:?? ? ? rvalue reference to type 'typename std::remove_reference::type' (aka 'BuiltinFuncArg *') cannot bind to lvalue of type? ? ? 'BuiltinFuncArg *'? ? { return __t; }? ? ? ? ? ? ?^~~/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:27: note:?? ? ? in instantiation of function template specialization? ? ? 'std::move' requested here? ? ? { emplace_back(std::move(__x)); }? ? ? ? ? ? ? ? ? ? ? ? ? ^builtin-func.y:611:12: note: in instantiation of member function? ? ? 'std::vector? ? ? >::push_back' requested here? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(...? ? ? ? ? ?^In file included from builtin-func.y:2:In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:69:/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:96:9: error:?? ? ? no matching function for call to 'forward'? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? std::forward<_Args>(__args)...);? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^~~~~~~~~~~~~~~~~~~/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:9: note:?? ? ? in instantiation of function template specialization? ? ? 'std::vector? ? ? >::emplace_back' requested here? ? ? { emplace_back(std::move(__x)); }? ? ? ? ^builtin-func.y:611:12: note: in instantiation of member function? ? ? 'std::vector? ? ? >::push_back' requested here? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(...? ? ? ? ? ?^/usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:51:5: note:?? ? ? candidate function [with _Tp = BuiltinFuncArg *] not viable: no known? ? ? conversion from 'BuiltinFuncArg *' to 'typename? ? ? std::identity::type &&' (aka 'BuiltinFuncArg *&&') for? ? ? 1st argument? ? forward(typename std::identity<_Tp>::type&& __t)? ? ^2 errors generated. > > Thanks for peeping into this! > >? ? On Wednesday, September 21, 2016 10:56 AM, Seth Hall wrote: >? > >? Is this on RedHat or CentOS 6.x?? I'm not sure if anyone has tried building on those. > > ? .Seth > > > > On Sep 20, 2016, at 7:55 AM, philosnef wrote: > > > > See the following cmake error. I have run --disable-auxtools and --disable-broccoli. Not exact sure where this is breaking. > > > > --- > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:57:14: error: > >? ? ? rvalue reference to type 'typename std::remove_reference >? ? ? *&>::type' (aka 'BuiltinFuncArg *') cannot bind to lvalue of type > >? ? ? 'BuiltinFuncArg *' > >? ? { return __t; } > >? ? ? ? ? ? ? ^~~ > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:27: note: > >? ? ? in instantiation of function template specialization > >? ? ? 'std::move' requested here > >? ? ? { emplace_back(std::move(__x)); } > >? ? ? ? ? ? ? ? ? ? ? ? ? ^ > > builtin-func.y:611:12: note: in instantiation of member function > >? ? ? 'std::vector > >? ? ? >::push_back' requested here > >? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(... > >? ? ? ? ? ? ^ > > In file included from builtin-func.y:2: > > In file included from /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/vector:69: > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/vector.tcc:96:9: error: > >? ? ? no matching function for call to 'forward' > >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? std::forward<_Args>(__args)...); > >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^~~~~~~~~~~~~~~~~~~ > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/stl_vector.h:747:9: note: > >? ? ? in instantiation of function template specialization > >? ? ? 'std::vector > >? ? ? >::emplace_back' requested here > >? ? ? { emplace_back(std::move(__x)); } > >? ? ? ? ^ > > builtin-func.y:611:12: note: in instantiation of member function > >? ? ? 'std::vector > >? ? ? >::push_back' requested here > >? ? { args.push_back(new BuiltinFuncArg((yyvsp[(1) - (5)].str), (yyvsp[(... > >? ? ? ? ? ? ^ > > /usr/bin/../lib/gcc/x86_64-redhat-linux/4.4.7/../../../../include/c++/4.4.7/bits/move.h:51:5: note: > >? ? ? candidate function [with _Tp = BuiltinFuncArg *] not viable: no known > >? ? ? conversion from 'BuiltinFuncArg *' to 'typename > >? ? ? std::identity::type &&' (aka 'BuiltinFuncArg *&&') for > >? ? ? 1st argument > >? ? forward(typename std::identity<_Tp>::type&& __t) > >? ? ^ > > 2 errors generated. > > make[3]: *** [src/CMakeFiles/bifcl.dir/bif_parse.cc.o] Error 1 > > make[3]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > > make[2]: *** [src/CMakeFiles/bifcl.dir/all] Error 2 > > make[2]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > > make[1]: *** [all] Error 2 > > make[1]: Leaving directory `/opt/src/bro_25_master/direct_dl/bro-2.5-beta.master/build' > > make: *** [all] Error 2 > > --- > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > >? ? > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160921/2bbe81b4/attachment-0001.html From doris at bro.org Wed Sep 21 14:58:33 2016 From: doris at bro.org (Doris Schioberg) Date: Wed, 21 Sep 2016 14:58:33 -0700 Subject: [Bro] Bro News #7 Message-ID: <6b214599-1775-b09f-9c34-11ae23d01c23@bro.org> Bro News #7 Welcome to the Bro newsletter #7. This time we cover the following topics: Bro Events. Bro Commits: Bro v2.5 beta is here. Get your newest Bro with new features and improvements. Bro Internals: Give Bro a future, join the Future Fund. Bro Events BroCon 2016 BroCon 2016 was hosted by TACC in Austin, Texas. About 20 hours of talks within two and a half days, we had talks from Bro team members about the newest developments, low level practical talks to improve every day work life, and also high level research talks. The new SMB analyzer seems to have had the most impact on the user community. You can read all about here. We hear you: Our post-conference attendee survey had over 90% who liked the topics, and over 95% that they liked the way those topics were presented. Overall, we appreciate all of the feedback that we received, and while we were blown away by the overwhelmingly positive response, perhaps even more important to us are the opportunities for making BroCon even better. We'll keep all of the feedback in mind as we start the process of preparing for BroCon 2017. We had a few comments regarding the lack of talks discussing incident response. If those types of talks interest you, please consider attending Bro4Pros 2017, as that event tends to have more talks about "life in the trenches." NSF Cybersecurity Summit 2016 Bro held a one day workshop at the NSF Cybersecurity Summit 2016. Bro Commits: Bro 2.5 beta is here! Bro 2.5 beta has been released. Here is a brief summary of some of the new features and improvements: Bro now includes the NetControl framework. This framework allows easy interaction with hard- and software switches, firewalls, etc. Support for the SMB protocol (SMB1 and SMB2), including GSSAPI and NTLM. Support for the remote framebuffer protocol (RFB), that is used by VNC servers for remote graphical display. The Intelligence framework was refactored and extended. It now supports, for example subnet indicators and item deletion/expiration. Binary packages of the beta are also available. See NEWS for preliminary release notes and CHANGES for the exhaustive commit list. Feedback is encouraged and should be sent to the Bro mailing list. As previously stated, we do not recommend using a beta release for production use. Bro Internals: Give Bro a future, join the Future Fund. Bro's future depends on all of you. The Bro community is a wonderful mix of different personalities and skill sets. Many of them will answer all Bro related questions in our IRC channel #bro on Freenode, and for a while now also in our Bro channel on Gitter. Others contribute to the development of Bro. We want to thank everyone who contributes to Bro in any way. We also would like to send out a call to join the Bro Future Fund, so we can continue all the work that cannot be done by volunteers only. If you appreciate Bro in your daily work and think your company or organization truly benefits from it consider a donation to help us keep up the work. In that spirit, Corelight (formerly known as Broala) announced a donation of $100,000 at BroCon 2016. Thank you Corelight! - The Bro Team From bmixonb1 at cs.unm.edu Wed Sep 21 15:29:05 2016 From: bmixonb1 at cs.unm.edu (Ben Mixon-Baca) Date: Wed, 21 Sep 2016 16:29:05 -0600 Subject: [Bro] Protocol Analyzer Message-ID: <8ba93c3e-e7bc-d37d-7f41-bb1aa892ea34@cs.unm.edu> Hi, I am doing low level packet inspection using the tcp_packet event. I am wondering if there is a way to inspect only the tcp payload if it doesn't parse to any well-known tcp based application. For example, if an application uses 20394/tcp for TLS, I would not want to see this payload. However, if the application using 20394/tcp has a payload that doesn't parse to anything Bro speaks, I would like to be able to inspect this tcp payload. Thanks in advance! -- Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160921/c4ded6a3/attachment.bin From johanna at icir.org Wed Sep 21 22:11:32 2016 From: johanna at icir.org (Johanna Amann) Date: Wed, 21 Sep 2016 22:11:32 -0700 Subject: [Bro] Protocol Analyzer In-Reply-To: <8ba93c3e-e7bc-d37d-7f41-bb1aa892ea34@cs.unm.edu> References: <8ba93c3e-e7bc-d37d-7f41-bb1aa892ea34@cs.unm.edu> Message-ID: <20160922051132.GA7480@Beezling.local> Hello Ben, the easiest way to accomplish this is probably to look into the c$service field - if it is empty, no analyzer has flagged that it can succesfully parse the protocol yet. This is, however, not perfect - c$service is populated by the protocol_confirmation/violation. Thus, it will only be set after a parser accepts that a connection actually "speaks" a protocol; so you will probably get the first few pacjets for every connection - see base/frameworks/dpd/main.bro for more details. Apart from that, you can also check Analyzer::registered_ports for ports where Bro always tries to attach a specific analyzer. I hope this helps, Johanna On Wed, Sep 21, 2016 at 04:29:05PM -0600, Ben Mixon-Baca wrote: > Hi, > > I am doing low level packet inspection using the tcp_packet event. I am > wondering if there is a way to inspect only the tcp payload if it > doesn't parse to any well-known tcp based application. For example, if > an application uses 20394/tcp for TLS, I would not want to see this > payload. However, if the application using 20394/tcp has a payload that > doesn't parse to anything Bro speaks, I would like to be able to inspect > this tcp payload. > > Thanks in advance! > > -- > Ben > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From philosnef at gmail.com Thu Sep 22 04:54:11 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 22 Sep 2016 07:54:11 -0400 Subject: [Bro] problems compiling bro 25 master on centos 6 Message-ID: Ok, so I am following these instructions here: https://gist.github.com/stephenturner/e3bc5cfacc2dc67eca8b My question is, how do i make this work? Despite explicitly stating export CC=$pathtodevset/gcc export CXX=$pathtodevset/g++ it absolutely refuses to honor this in config. No matter what I do, sh configure forces the use of clang/clang++, which does not support 4.8 on centos6. I specifically have gcc/g++ 4.8.2 installed in the devtoolset slc environment. I do not understand why sh configure is not honoring these explicit environment variables pointing to a proper g++ binary. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/1fb25827/attachment.html From philosnef at gmail.com Thu Sep 22 05:45:49 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 22 Sep 2016 08:45:49 -0400 Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: References: Message-ID: Ok,. so I got this to compile, but it is non-trivial. There is no longer a --with-pfring=X option in 25 configure script. See: https://www.bro.org/sphinx-git/components/bro-plugins/pf_ring/README.html Checking the ../doc/configuration/index.rst, this indicates that --with-pcap=/opt/pfring however, this makes no change in it building. Moreover, in ../build/instal_manifest.txt, I see broctl/plugins/lb_pfring.py, but no other sign of pfring. ldd bro shows no pfring entry either. Why did bro not build with pfring? Thanks! On Thu, Sep 22, 2016 at 7:54 AM, erik clark wrote: > Ok, so I am following these instructions here: > > https://gist.github.com/stephenturner/e3bc5cfacc2dc67eca8b > > My question is, how do i make this work? > > Despite explicitly stating > > export CC=$pathtodevset/gcc > export CXX=$pathtodevset/g++ > > it absolutely refuses to honor this in config. No matter what I do, sh > configure forces the use of clang/clang++, which does not support 4.8 on > centos6. I specifically have gcc/g++ 4.8.2 installed in the devtoolset slc > environment. > > I do not understand why sh configure is not honoring these explicit > environment variables pointing to a proper g++ binary. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/52a09d45/attachment.html From seth at icir.org Thu Sep 22 06:39:46 2016 From: seth at icir.org (Seth Hall) Date: Thu, 22 Sep 2016 09:39:46 -0400 Subject: [Bro] NSQ plugin getting deprecated in 2.5 In-Reply-To: <04158025-D801-4206-B34A-B1FEB0C3BD46@illinois.edu> References: <20160916215007.GM5321@icir.org> <62C23783-3207-4A45-A974-8A997C2F644A@illinois.edu> <26F0D80F-680B-4128-8C20-4F1FF6A6BDB6@illinois.edu> <04158025-D801-4206-B34A-B1FEB0C3BD46@illinois.edu> Message-ID: <2025B08D-CD4A-4D9E-B413-4B959B102D5A@icir.org> > On Sep 21, 2016, at 11:18 AM, Azoff, Justin S wrote: > > For NSQ the destination queue is part the url that is POSTed to and can still be per log stream. Yep, that was Vlad's point about that being added to the URL when sending to NSQ. :) > The plugin currently sends it all to one queue, but it could work the same as the kafka plugin does with one queue per log stream. I think what makes the most sense here would be to fork off the ElasticSearch plugin and create an NSQ specific plugin. If someone wanted to go crazy with options, I could imagine even making a generic HTTP writer plugin as you suggested earlier. I suspect that it would be quite hard to get that right for any number of different HTTP endpoints. It probably makes more sense to just tailor for whatever is receiving logs on the other end. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From philosnef at gmail.com Thu Sep 22 07:36:42 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 22 Sep 2016 10:36:42 -0400 Subject: [Bro] smb analyzer does not seem to be enabled Message-ID: Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs produced. Do you need to explicitly enable it somewhere? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/d8fb8f0e/attachment-0001.html From bmixonb1 at cs.unm.edu Thu Sep 22 07:49:32 2016 From: bmixonb1 at cs.unm.edu (Ben Mixon-Baca) Date: Thu, 22 Sep 2016 08:49:32 -0600 Subject: [Bro] Protocol Analyzer In-Reply-To: <20160922051132.GA7480@Beezling.local> References: <8ba93c3e-e7bc-d37d-7f41-bb1aa892ea34@cs.unm.edu> <20160922051132.GA7480@Beezling.local> Message-ID: <3e71839e-6b45-ef22-0911-c2b88e40c60e@cs.unm.edu> Thanks, Johanna! That gives me a place to start. On 09/21/2016 11:11 PM, Johanna Amann wrote: > Hello Ben, > > the easiest way to accomplish this is probably to look into the c$service > field - if it is empty, no analyzer has flagged that it can succesfully > parse the protocol yet. > > This is, however, not perfect - c$service is populated by the > protocol_confirmation/violation. Thus, it will only be set after a parser > accepts that a connection actually "speaks" a protocol; so you will > probably get the first few pacjets for every connection - see > base/frameworks/dpd/main.bro for more details. > > Apart from that, you can also check Analyzer::registered_ports for ports > where Bro always tries to attach a specific analyzer. > > I hope this helps, > Johanna > > On Wed, Sep 21, 2016 at 04:29:05PM -0600, Ben Mixon-Baca wrote: >> Hi, >> >> I am doing low level packet inspection using the tcp_packet event. I am >> wondering if there is a way to inspect only the tcp payload if it >> doesn't parse to any well-known tcp based application. For example, if >> an application uses 20394/tcp for TLS, I would not want to see this >> payload. However, if the application using 20394/tcp has a payload that >> doesn't parse to anything Bro speaks, I would like to be able to inspect >> this tcp payload. >> >> Thanks in advance! >> >> -- >> Ben >> > > > > >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/53e12673/attachment.bin From jazoff at illinois.edu Thu Sep 22 07:54:00 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 22 Sep 2016 14:54:00 +0000 Subject: [Bro] smb analyzer does not seem to be enabled In-Reply-To: References: Message-ID: <343ABA06-464B-43A6-8089-B4B3E87875A1@illinois.edu> local.bro: # Uncomment the following line to enable the SMB analyzer. The analyzer # is currently considered a preview and therefore not loaded by default. # @load policy/protocols/smb -- - Justin Azoff > On Sep 22, 2016, at 10:36 AM, erik clark wrote: > > Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs produced. Do you need to explicitly enable it somewhere? > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From philosnef at gmail.com Thu Sep 22 08:49:44 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 22 Sep 2016 11:49:44 -0400 Subject: [Bro] smb analyzer does not seem to be enabled In-Reply-To: <343ABA06-464B-43A6-8089-B4B3E87875A1@illinois.edu> References: <343ABA06-464B-43A6-8089-B4B3E87875A1@illinois.edu> Message-ID: Hm. I enabled it in /opt/bro/share/bro/site/local.bro -> @load policy/protocols/smb and I ran a pcap with exclusively 445 port traffic, but got nothing back. The pcap is 70 megs big. (tcpdump -w pcap "port 445") I am trying to get output from smb2.pcap (included in Traces directory in the master branch), but that also does not produce any smb logs. bro -N shows -> Bro::SMB - SMB analyzer (built-in) so I am not sure why the entry in local.bro is apparently not causing smb events to fire? Thanks for your time! On Thu, Sep 22, 2016 at 10:54 AM, Azoff, Justin S wrote: > local.bro: > > # Uncomment the following line to enable the SMB analyzer. The analyzer > # is currently considered a preview and therefore not loaded by default. > # @load policy/protocols/smb > > -- > - Justin Azoff > > > On Sep 22, 2016, at 10:36 AM, erik clark wrote: > > > > Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs > produced. Do you need to explicitly enable it somewhere? > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/41241ea1/attachment.html From philosnef at gmail.com Thu Sep 22 08:53:32 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 22 Sep 2016 11:53:32 -0400 Subject: [Bro] smb analyzer does not seem to be enabled In-Reply-To: References: <343ABA06-464B-43A6-8089-B4B3E87875A1@illinois.edu> Message-ID: AH ignore this! I am not getting any smb traffic I guess on this link, and I had to explicitly call the smb analyzer: bro -C -r $pcap /opt/bro/share/bro/policy/protocols/smb/__load__.bro Thanks all, this works fantastic! On Thu, Sep 22, 2016 at 11:49 AM, erik clark wrote: > Hm. I enabled it in > > /opt/bro/share/bro/site/local.bro > > -> @load policy/protocols/smb > > and I ran a pcap with exclusively 445 port traffic, but got nothing back. > The pcap is 70 megs big. (tcpdump -w pcap "port 445") > > I am trying to get output from smb2.pcap (included in Traces directory in > the master branch), but that also does not produce any smb logs. > > bro -N shows -> Bro::SMB - SMB analyzer (built-in) > > so I am not sure why the entry in local.bro is apparently not causing smb > events to fire? Thanks for your time! > > On Thu, Sep 22, 2016 at 10:54 AM, Azoff, Justin S > wrote: > >> local.bro: >> >> # Uncomment the following line to enable the SMB analyzer. The analyzer >> # is currently considered a preview and therefore not loaded by default. >> # @load policy/protocols/smb >> >> -- >> - Justin Azoff >> >> > On Sep 22, 2016, at 10:36 AM, erik clark wrote: >> > >> > Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs >> produced. Do you need to explicitly enable it somewhere? >> > _______________________________________________ >> > Bro mailing list >> > bro at bro-ids.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/8f4db8e7/attachment.html From jazoff at illinois.edu Thu Sep 22 08:55:48 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 22 Sep 2016 15:55:48 +0000 Subject: [Bro] smb analyzer does not seem to be enabled In-Reply-To: References: <343ABA06-464B-43A6-8089-B4B3E87875A1@illinois.edu> Message-ID: How did you run the pcap file? If you just ran bro -r foo.pcap that does not load the local config, you need to use bro local -r foo.pcap or use `broctl process`. -- - Justin Azoff > On Sep 22, 2016, at 11:49 AM, erik clark wrote: > > Hm. I enabled it in > > /opt/bro/share/bro/site/local.bro > > -> @load policy/protocols/smb > > and I ran a pcap with exclusively 445 port traffic, but got nothing back. The pcap is 70 megs big. (tcpdump -w pcap "port 445") > > I am trying to get output from smb2.pcap (included in Traces directory in the master branch), but that also does not produce any smb logs. > > bro -N shows -> Bro::SMB - SMB analyzer (built-in) > > so I am not sure why the entry in local.bro is apparently not causing smb events to fire? Thanks for your time! > > On Thu, Sep 22, 2016 at 10:54 AM, Azoff, Justin S wrote: > local.bro: > > # Uncomment the following line to enable the SMB analyzer. The analyzer > # is currently considered a preview and therefore not loaded by default. > # @load policy/protocols/smb > > -- > - Justin Azoff > > > On Sep 22, 2016, at 10:36 AM, erik clark wrote: > > > > Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs produced. Do you need to explicitly enable it somewhere? > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > From johanna at icir.org Thu Sep 22 10:30:26 2016 From: johanna at icir.org (Johanna Amann) Date: Thu, 22 Sep 2016 10:30:26 -0700 Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: References: Message-ID: <20160922173026.GA13360@Beezling.local> Hi, On Thu, Sep 22, 2016 at 08:45:49AM -0400, erik clark wrote: > Ok,. so I got this to compile, but it is non-trivial. how did you get it to run in the end? I saw your last email with the export of CC/CXX not working (which is a bit odd, as far as I remember that worked fine for me in the past). > > There is no longer a --with-pfring=X option in 25 configure script. See: > > https://www.bro.org/sphinx-git/components/bro-plugins/pf_ring/README.html I actually don't think that we ever had that version (at least I do not remember it being in the last view versions). https://www.bro.org/documentation/load-balancing.html gives a bit of information on how to use Bro with the pfring libpcap. The pf_ring plugin is different, and directly uses pfring without going throug libpcap. I never used this one myself, however checking the code it seems to look through the standard include path locations for pfring. If pfring is installed in a different place, you can probably enable Bro to find it by exporting CFLAGS/CXXFLAGS/LDFLAGS to point to that directory. > however, this makes no change in it building. Moreover, in > ../build/instal_manifest.txt, I see broctl/plugins/lb_pfring.py, but no > other sign of pfring. ldd bro shows no pfring entry either. Why did bro not > build with pfring? Thanks! It might have built against the wrong version of libpcap. The chosen pcap library is displayed during configure output in a line like: -- Found PCAP: /usr/lib/libpcap.dylib I hope this helps, Johanna From johanna at icir.org Thu Sep 22 10:36:39 2016 From: johanna at icir.org (Johanna Amann) Date: Thu, 22 Sep 2016 10:36:39 -0700 Subject: [Bro] cluster manager crash In-Reply-To: References: Message-ID: <20160922173639.GB13360@Beezling.local> Hello, > I have an issue about cluster manager crash when lots of log event send > to it. > I set up a bro cluster on my server, the cluster have 32 workers and 1 > proxy and handle about 5Gb/s. After run about one and a half hour, the > cluster no longer produces logs, but workers still extracts files. So it > seems that the manager was crashed. > Is there any possibility that the manager doesn't work anymore when > workers send lots of log event? If so, what`s the limit of the log event? > Or maybe the issue won`t happen if I run a real cluster on several servers? yes, it is possible to kill a manager by sending too many data too it, though that is usually caused by event traffic and not by logs. There is no definitive limit, that depends a bit on your hardware and traffic. Generally, if your manager really crashes, it should be restarted by the broctl cron process. If you have a lot of logging, starting with bro 2.5 (currently in Beta), you also can separate logging from the manager and move it into a logger node. To enable this on 2.5, put the following into your node.cfg (this is also part of the example configuration): [logger] type=logger host=localhost > By the way, if I want to handle 10Gb/s, how much memory should I leave > for each worker ? If I do memory usage restrictions, will it affect > the performance of the cluster? The amount of memory depends on your traffic mix and is a bit difficult to predict (I will let others chime in what their experiences are). If you put in memory usage restrictions, it will kill the processes if they need more memory than they are allowed to allocate. I hope this helps, Johanna From johanna at icir.org Thu Sep 22 10:50:10 2016 From: johanna at icir.org (Johanna Amann) Date: Thu, 22 Sep 2016 10:50:10 -0700 Subject: [Bro] File Extraction In-Reply-To: References: <20160803194732.GA7211@wifi154.sys.ICSI.Berkeley.EDU> Message-ID: <20160922175010.GC13360@Beezling.local> I did not look through all of your script - the big reason that Bro currently complains is that you try to load a nonexisting script (there is no base/protocols/http/file-ident). Johanna On Sat, Aug 27, 2016 at 12:37:35PM -0500, al brocino wrote: > Thanks Johanna, > > *Adding additional information:* > > We are going to upgrade from 2.3.2 but have not yet. > > *I made your recommended change and am still getting the error, see detail > below:* > > file-extract.bro script > > global ext_map:table[string] of string = { ["application/x/dosexec"] = > > "exe", > you probably want application/x-dosexec here, not x/dosexec. That might > already be enough to fix this. > > *Changed: * > > file-extract.bro > global ext_map: table[string] of string = { > ["application/x-dosexec"] = "exe", > ["text/plain"] = "txt", > ["image/jpeg"] = "jpg", > ["image/png"] = "png", > ["text/html"] = "html", > } &default =""; > > *Un-comment #@load ./file-extract-http-local.bro and #@load > ./file-extract-types.bro:* > > _load_.bro > # File extractions (/application\/.*) -- This has changed significantly in > 2.2 > @load ./file-extract-http-local.bro > @load ./file-extract-types.bro > @load ./bro-file-extract > > * I get this error again:* > > manager scripts failed. > internal warning in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 6: Discarded extraneous Broxygen comment: Modified from base scripts to > extract only from external hosts > fatal error in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 7: can't find base/protocols/http/file-ident > proxy scripts failed. > internal warning in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 6: Discarded extraneous Broxygen comment: Modified from base scripts to > extract only from external hosts > fatal error in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 7: can't find base/protocols/http/file-ident > enm1-eth1-httpproxy scripts failed. > internal warning in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 6: Discarded extraneous Broxygen comment: Modified from base scripts to > extract only from external hosts > fatal error in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 7: can't find base/protocols/http/file-ident > enm2-eth2-httpinternal scripts failed. > internal warning in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 6: Discarded extraneous Broxygen comment: Modified from base scripts to > extract only from external hosts > fatal error in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 7: can't find base/protocols/http/file-ident > enm3-eth3-collector scripts failed. > internal warning in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 6: Discarded extraneous Broxygen comment: Modified from base scripts to > extract only from external hosts > fatal error in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 7: can't find base/protocols/http/file-ident > enm4-eth5-dns scripts failed. > internal warning in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 6: Discarded extraneous Broxygen comment: Modified from base scripts to > extract only from external hosts > fatal error in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 7: can't find base/protocols/http/file-ident > enm5-eth6-syslog scripts failed. > internal warning in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 6: Discarded extraneous Broxygen comment: Modified from base scripts to > extract only from external hosts > fatal error in > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line > 7: can't find base/protocols/http/file-ident > > *Here's the script that it's failing on:* > > file-extract-http-local.bro > @load base/protocols/http/main > @load base/protocols/http/file-ident > @load base/utils/files > module HTTP; > export { > ## Pattern of file mime types to extract from HTTP response > entity bodies. > const extract_file_types_local = /NO_DEFAULT/ &redef; > ## The on-disk prefix for files to be extracted from HTTP > entity bodies. > const extraction_prefix_local = "http-item" &redef; > > redef record Info += { > ## On-disk file where the response body was > extracted to. > extraction_file_local: file &log &optional; > > ## Indicates if the response body is to be > extracted or not. Must be > ## set before or by the first > :bro:id:`http_entity_data` event for the > ## content. > extract_file_local: bool &default=F; > }; > } > > # Define local sources to ignore file extract > global http_extract_file_ignore: set[subnet] = { > 192.168.2.0.0/24, > # Internal Seminal1, trusted destination > 192.168.1.0/24, > # Internal Seminal2, trusted destination > }; > > > event http_entity_data(c: connection, is_orig: bool, length: count, data: > string) &priority=-5 > { > # Client body extraction is not currently supported in this > script. > if ( is_orig ) > return; > > # We do not want to extract files from internal to internal > hosts > if ( c$id$resp_h in http_extract_file_ignore ) > return; > > if ( c$http$first_chunk ) > { > if ( c$http?$mime_type && > extract_file_types_local in > c$http$mime_type ) > { > c$http$extract_file_local = > T; > } > > if ( c$http$extract_file_local ) > { > local suffix = > fmt("%s_%d.dat", is_orig ? "orig" : "resp", c$http_state$current_response); > local fname = > generate_extraction_filename(extraction_prefix_local, c, suffix); > > > c$http$extraction_file_local = open(fname); > > enable_raw_output(c$http$extraction_file_local); > } > } > > if ( c$http?$extraction_file_local ) > print c$http$extraction_file_local, data; > } > > event http_end_entity(c: connection, is_orig: bool) > { > if ( c$http?$extraction_file_local ) > close(c$http$extraction_file_local); > } > > *Ideas? Thanks!* > > *Al B.* > *Seminal Networks* > > On Wed, Aug 3, 2016 at 2:47 PM, Johanna Amann wrote: > > > Hi Al, > > > > > I'm new to Bro and using version 2.3.2 and want to extract all the exe's > > > seen on the network. In bro-file-extract we are using the > > file-extract.bro > > > script to try to parse for the exe's (partial of script): > > > > First - is there any reason for you to still use 2.3.2? File handling (and > > a lot of other things) have become more robust in 2.4. > > > > In any case... > > > > > global ext_map:table[string] of string = { > > > ["application/x/dosexec"] = "exe", > > > > you probably want application/x-dosexec here, not x/dosexec. That might > > already be enough to fix this. > > > > > redef FileExtract::prefix="/var/log/netlogs/bro/file-extracts.bro"; > > > > This line seems superfluous and wrong, especially since it is redef-ed > > again two lines later. > > > > > redef FileExtract::default_limit = 314572800; > > > redef FileExtract::prefix = "/var/log/netlogs/bro/file-extracts/"; > > > > > > We also have the file-extract-http-local.bro set to extract on our > > network: > > > > > > global http_extract_file_ignore: set [subnet] = { > > > 10.0.0.0/8, > > > }; > > > > > > > The following seems to talk about files that you modified locally and that > > do not ship with the Bro distribution. As such, it is really hard to give > > feedback about it. > > > > > We think the problem is that _load_.bro has the file extract commented > > out > > > under bro-icmp: > > > #@load ./file-extract-http-local.bro > > > #@load ./file-extract-types.bro > > > @load ./bro-file-extract > > > When I tried to enable these Bro failed the scripts check with errors > > like: > > > internal warning in > > > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, > > line > > > 6: Discarded extraneous Broxygen comment: Modified from base scripts to > > > extract only from external hosts > > > fatal error in > > > /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, > > line > > > 7:can't find base/protocols/http/file-ident > > > I continued to receive these errors and had to back out of removing the > > > comments > > > > > > Under bro-file-extract _load_.bro looks correct: > > > @load ./file-extract > > > > > > What I'm getting in /var/log/netlogs/bro/file-extracts are entries like: > > > HTTP-F7K52nSzN3h7GNM31.exe > > > These files occur occasionally I'm not sure what they are. > > > > I hope this helps, > > Johanna > > From seth at icir.org Thu Sep 22 19:37:47 2016 From: seth at icir.org (Seth Hall) Date: Thu, 22 Sep 2016 22:37:47 -0400 Subject: [Bro] cluster manager crash In-Reply-To: References: Message-ID: <5D665F07-4FBA-484D-BE4D-F790C7AD7EE4@icir.org> > On Sep 7, 2016, at 9:44 AM, Bowen Li wrote: > > By the way, if I want to handle 10Gb/s, how much memory should I leave for each worker ? If I do memory usage restrictions, will it affect the performance of the cluster? Hi Bowen, To add to what Johanna said, what's the desire behind restricting memory use? Are you running other processes on the system and you'd like to avoid Bro processes consuming all of the memory? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From philosnef at gmail.com Fri Sep 23 05:10:22 2016 From: philosnef at gmail.com (erik clark) Date: Fri, 23 Sep 2016 08:10:22 -0400 Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: <814FAD3C-B64C-41B1-9FB9-E34B1A0604B4@icir.org> References: <20160922173026.GA13360@Beezling.local> <814FAD3C-B64C-41B1-9FB9-E34B1A0604B4@icir.org> Message-ID: So, I get pfring "found"... but no plugin built. (from configure) -- Found PCAP: /opt/pfring/lib/libpcap.so -- Looking for pcap_get_pfring_id -- Looking for pcap_get_pfring_id - found Why is the plugin not being built? bro -N Bro::PF_RING ... line 1: plugin Bro::PF_RING is not available This is the last hurdle I have to overcome. Not sure why it finds libpcap in the /opt/pfring directory, but doesn't build the plugin. On Thu, Sep 22, 2016 at 2:10 PM, Johanna Amann wrote: > Odd. Looking at the cmake file, it should try the argument specified in > --with-pcap first. However, I am not that big of an expert in make and did > not write that specific script, so you might have to bounce this back to > the mailing list :) > > Johanna > > > On 22 Sep 2016, at 11:01, erik clark wrote: > > Yep, I just reran configure and grepped it out of the output. It pulled the >> incorrect libpcap. >> >> On Thu, Sep 22, 2016 at 1:54 PM, Johanna Amann wrote: >> >> >>> >>> On 22 Sep 2016, at 10:47, erik clark wrote: >>> >>> I dug through the cmake files to see what was wrong. To get this to not >>> use >>> >>>> clang (and I have zero clue where that is being stored), you need to >>>> >>>> export "CMAKE_CXX_COMPILER=${location}" >>>> >>>> >>> Odd. I currently don't have an alternate compiler here - but I am quite >>> sure that that worked in the past when specifying CC/CXX before calling >>> configure... >>> >>> ldd bro states: >>> >>>> >>>> libpcap.so.1 => /usr/local/lib/libpcap.so.1 >>>> >>>> Even though I am specifying >>>> >>>> --with-pcap=/opt/pfring >>>> >>>> it is still digging up libpcap from /usr/local/lib, which is completely >>>> unrelated to the deployed pfring kernel module. :) >>>> >>>> >>> Does configure show that it chose that one too? (It is one of the first >>> few lines of configure output). >>> >>> Johanna >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/23bf6e2c/attachment.html From espressobeanies at gmail.com Fri Sep 23 06:33:48 2016 From: espressobeanies at gmail.com (Espresso Beanies) Date: Fri, 23 Sep 2016 09:33:48 -0400 Subject: [Bro] Question about Brownian project Message-ID: Hi, I'm trying to figure out what happened to the Brownian project (front-end for Bro) and whether or not there are other projects attempting to create a front-end for Bro IDS using ElasticSearch. Thank you, E -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/88bd0ba2/attachment.html From jazoff at illinois.edu Fri Sep 23 06:35:09 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Fri, 23 Sep 2016 13:35:09 +0000 Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: References: <20160922173026.GA13360@Beezling.local> <814FAD3C-B64C-41B1-9FB9-E34B1A0604B4@icir.org> Message-ID: <3513EB8D-B859-4BCD-AD83-C2F9994C195C@illinois.edu> > On Sep 23, 2016, at 8:10 AM, erik clark wrote: > > So, I get pfring "found"... but no plugin built. > > (from configure) > -- Found PCAP: /opt/pfring/lib/libpcap.so > -- Looking for pcap_get_pfring_id > -- Looking for pcap_get_pfring_id - found > > > Why is the plugin not being built? > > bro -N Bro::PF_RING > ... line 1: plugin Bro::PF_RING is not available > > This is the last hurdle I have to overcome. Not sure why it finds libpcap in the /opt/pfring directory, but doesn't build the plugin. That's not the pf_ring plugin, it's the built-insupport for pf_ring by using the libpcap wrapper. As the load-balancing documentation shows, you simply need to see if bro is linked against pf_ring: $ ldd `which bro`|grep pcap libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f86d01af000) -- - Justin Azoff From philosnef at gmail.com Fri Sep 23 06:43:00 2016 From: philosnef at gmail.com (erik clark) Date: Fri, 23 Sep 2016 09:43:00 -0400 Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: <3513EB8D-B859-4BCD-AD83-C2F9994C195C@illinois.edu> References: <20160922173026.GA13360@Beezling.local> <814FAD3C-B64C-41B1-9FB9-E34B1A0604B4@icir.org> <3513EB8D-B859-4BCD-AD83-C2F9994C195C@illinois.edu> Message-ID: How do I build the plugin then? The plugin is more useful, as whenever we upgrade pf_ring, we can just rebuild the plugin and not all of bro. We upgrade pf_ring on a regular basis.... On Fri, Sep 23, 2016 at 9:35 AM, Azoff, Justin S wrote: > > > On Sep 23, 2016, at 8:10 AM, erik clark wrote: > > > > So, I get pfring "found"... but no plugin built. > > > > (from configure) > > -- Found PCAP: /opt/pfring/lib/libpcap.so > > -- Looking for pcap_get_pfring_id > > -- Looking for pcap_get_pfring_id - found > > > > > > Why is the plugin not being built? > > > > bro -N Bro::PF_RING > > ... line 1: plugin Bro::PF_RING is not available > > > > This is the last hurdle I have to overcome. Not sure why it finds > libpcap in the /opt/pfring directory, but doesn't build the plugin. > > That's not the pf_ring plugin, it's the built-insupport for pf_ring by > using the libpcap wrapper. As the load-balancing documentation shows, you > simply need to see if bro is linked against pf_ring: > > $ ldd `which bro`|grep pcap > libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f86d01af000) > > > > -- > - Justin Azoff > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/67683a8d/attachment.html From mus3 at lehigh.edu Fri Sep 23 07:01:13 2016 From: mus3 at lehigh.edu (Munroe Sollog) Date: Fri, 23 Sep 2016 10:01:13 -0400 Subject: [Bro] Question about Brownian project In-Reply-To: References: Message-ID: <581ce9e7-8f6a-fa44-4f34-04acddcb071e@lehigh.edu> Take a look at Kibana. On 09/23/2016 09:33 AM, Espresso Beanies wrote: > Hi, > > I'm trying to figure out what happened to the Brownian project (front-end for Bro) and whether or > not there are other projects attempting to create a front-end for Bro IDS using ElasticSearch. > > Thank you, > E > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Munroe Sollog LTS - Network Analyst x85002 From sanjuanswan at gmail.com Fri Sep 23 07:09:48 2016 From: sanjuanswan at gmail.com (Jay Swan) Date: Fri, 23 Sep 2016 08:09:48 -0600 Subject: [Bro] Question about Brownian project In-Reply-To: References: Message-ID: If you're looking for something pre-built, Graylog2 is nice. If you want to use the standard Elastic stack, the key is to send your logs from Bro in JSON format, use the json_lines codec and the de_dot filter in Logstash, and at that point Kibana "Just Works". With Bro 2.5 I believe you can change the field delimiter to avoid the de_dot problem (Elasticsearch 2.x doesn't allow dots in field names, although Elasticsearch 5.x will). Jay On Fri, Sep 23, 2016 at 7:33 AM, Espresso Beanies wrote: > Hi, > > I'm trying to figure out what happened to the Brownian project (front-end > for Bro) and whether or not there are other projects attempting to create a > front-end for Bro IDS using ElasticSearch. > > Thank you, > E > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/e1b9e73c/attachment-0001.html From zeolla at gmail.com Fri Sep 23 07:28:25 2016 From: zeolla at gmail.com (Zeolla@GMail.com) Date: Fri, 23 Sep 2016 14:28:25 +0000 Subject: [Bro] Question about Brownian project In-Reply-To: References: Message-ID: Dots are allowed in ES 2.4, see https://www.elastic.co/blog/elasticsearch-2-4-0-released#_dots_in_fields_names_the_return Jon On Fri, Sep 23, 2016 at 10:21 AM Jay Swan wrote: > If you're looking for something pre-built, Graylog2 is nice. > > If you want to use the standard Elastic stack, the key is to send your > logs from Bro in JSON format, use the json_lines codec and the de_dot > filter in Logstash, and at that point Kibana "Just Works". With Bro 2.5 I > believe you can change the field delimiter to avoid the de_dot problem > (Elasticsearch 2.x doesn't allow dots in field names, although > Elasticsearch 5.x will). > > Jay > > > On Fri, Sep 23, 2016 at 7:33 AM, Espresso Beanies < > espressobeanies at gmail.com> wrote: > >> Hi, >> >> I'm trying to figure out what happened to the Brownian project (front-end >> for Bro) and whether or not there are other projects attempting to create a >> front-end for Bro IDS using ElasticSearch. >> >> Thank you, >> E >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/755dd975/attachment.html From vladg at illinois.edu Fri Sep 23 08:28:12 2016 From: vladg at illinois.edu (Vlad Grigorescu) Date: Fri, 23 Sep 2016 10:28:12 -0500 Subject: [Bro] Question about Brownian project In-Reply-To: References: Message-ID: The Brownian location hasn't changed; it's available here: https://github.com/grigorescu/Brownian In terms of what happened to it, there are two main issues: 1) ElasticSearch breaking compatibility in 2.X (though, thanks Jon for pointing out that this is fixed in the latest release), 2) broLogTypes.py needing to be updated for new log files. To me, this is the main advantage that Brownian has over other tools (which are much more powerful in terms of graphs and dashboards), in that Brownian "knows" that dns$query, even though it's technically a string, is often a domain name that you might want to do a lookup on. Or that ftp$user is a username that you might want to query in LDAP. From a personal perspective, Brownian started out of necessity, and I've switched jobs a couple of times in the meantime. At NCSA, we don't have an ElasticSearch cluster, so Brownian development hasn't been a priority, especially since I don't even know what the problems are these days. I still have a long todo list for Brownian, but to be honest, I'm not sure how many people are still using it today, and how many would benefit from improvements to it. I still look at pull requests and issues that come through (though I'm afraid that I'm often slow to respond to them). My hope is that one day Brownian is redone as a front-end to VAST, and is more tightly coupled with Bro, but this is a space that's always rapidly evolving and hard to predict. A long answer to your question, but it's been a while since I've given a status update on Brownian, and I think others may have been wondering the same thing. --Vlad Espresso Beanies writes: > Hi, > > I'm trying to figure out what happened to the Brownian project (front-end > for Bro) and whether or not there are other projects attempting to create a > front-end for Bro IDS using ElasticSearch. > > Thank you, > E > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 800 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/38775e13/attachment.bin From johanna at icir.org Fri Sep 23 08:55:09 2016 From: johanna at icir.org (Johanna Amann) Date: Fri, 23 Sep 2016 08:55:09 -0700 Subject: [Bro] problems compiling bro 25 master on centos 6 In-Reply-To: References: <20160922173026.GA13360@Beezling.local> <814FAD3C-B64C-41B1-9FB9-E34B1A0604B4@icir.org> Message-ID: The plugin is not being built automatically. By default, Bro uses libpcap (in this case, it is building against the pfring libpcap, so you are already using libpcap). The plugin uses poring directly without going through libpcap. You have to build it manually by going to aux/plugins/libpcap after building bro, calling ./configure there (which should pick up libpcap), and then doing make/make install. I hope this helps :) Johanna On 23 Sep 2016, at 5:10, erik clark wrote: > So, I get pfring "found"... but no plugin built. > > (from configure) > -- Found PCAP: /opt/pfring/lib/libpcap.so > -- Looking for pcap_get_pfring_id > -- Looking for pcap_get_pfring_id - found > > Why is the plugin not being built? > > bro -N Bro::PF_RING > ... line 1: plugin Bro::PF_RING is not available > > This is the last hurdle I have to overcome. Not sure why it finds > libpcap > in the /opt/pfring directory, but doesn't build the plugin. > > On Thu, Sep 22, 2016 at 2:10 PM, Johanna Amann > wrote: > >> Odd. Looking at the cmake file, it should try the argument specified >> in >> --with-pcap first. However, I am not that big of an expert in make >> and did >> not write that specific script, so you might have to bounce this back >> to >> the mailing list :) >> >> Johanna >> >> >> On 22 Sep 2016, at 11:01, erik clark wrote: >> >> Yep, I just reran configure and grepped it out of the output. It >> pulled the >>> incorrect libpcap. >>> >>> On Thu, Sep 22, 2016 at 1:54 PM, Johanna Amann >>> wrote: >>> >>> >>>> >>>> On 22 Sep 2016, at 10:47, erik clark wrote: >>>> >>>> I dug through the cmake files to see what was wrong. To get this to >>>> not >>>> use >>>> >>>>> clang (and I have zero clue where that is being stored), you need >>>>> to >>>>> >>>>> export "CMAKE_CXX_COMPILER=${location}" >>>>> >>>>> >>>> Odd. I currently don't have an alternate compiler here - but I am >>>> quite >>>> sure that that worked in the past when specifying CC/CXX before >>>> calling >>>> configure... >>>> >>>> ldd bro states: >>>> >>>>> >>>>> libpcap.so.1 => /usr/local/lib/libpcap.so.1 >>>>> >>>>> Even though I am specifying >>>>> >>>>> --with-pcap=/opt/pfring >>>>> >>>>> it is still digging up libpcap from /usr/local/lib, which is >>>>> completely >>>>> unrelated to the deployed pfring kernel module. :) >>>>> >>>>> >>>> Does configure show that it chose that one too? (It is one of the >>>> first >>>> few lines of configure output). >>>> >>>> Johanna >>>> >>>> From lvrfrc87 at gmail.com Fri Sep 23 08:59:17 2016 From: lvrfrc87 at gmail.com (Federico Olivieri) Date: Fri, 23 Sep 2016 16:59:17 +0100 Subject: [Bro] broctl status peers 0 / critical stack is running? Message-ID: Hi everybody, I'm new in BRO and first of all I would say...thank you for the great product developed! It is such good and well done! Easy to use! I love it the integration with critical stack! I have managed to set up and run BRO on my raspi and everything is ok. Just a couple of questions: 1-Can someone explain me the meaning of Peer column? root at raspberrypi:~# broctl status Getting process status ... Getting peer status ... Name Type Host Status Pid Peers Started bro standalone localhost running 6695 0 23 Sep 08:55:03 2-How can I check if critical-stuck is "feeding" BRO? Thanks! Federico -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/3ec2c3b6/attachment.html From gfaulkner.nsm at gmail.com Fri Sep 23 09:30:24 2016 From: gfaulkner.nsm at gmail.com (Gary Faulkner) Date: Fri, 23 Sep 2016 11:30:24 -0500 Subject: [Bro] broctl status peers 0 / critical stack is running? In-Reply-To: References: Message-ID: <0d5ec122-6570-43ad-9f84-e67102a6e9ab@gmail.com> The peer column is for when you operate Bro in cluster mode. It will show how many workers are connected to the manager and proxies. Since you are in stand-alone mode, this will not show any peers. ~Gary On 9/23/2016 10:59 AM, Federico Olivieri wrote: > Hi everybody, > I'm new in BRO and first of all I would say...thank you for the great > product developed! It is such good and well done! Easy to use! I love > it the integration with critical stack! > > I have managed to set up and run BRO on my raspi and everything is ok. > Just a couple of questions: > > 1-Can someone explain me the meaning of Peer column? > > root at raspberrypi:~# broctl status > Getting process status ... > Getting peer status ... > Name Type Host Status Pid Peers Started > bro standalone localhost running 6695 0 23 Sep > 08:55:03 > > 2-How can I check if critical-stuck is "feeding" BRO? > > Thanks! > Federico > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/7c41f06c/attachment.html From art.maddalena at teamaol.com Fri Sep 23 10:26:50 2016 From: art.maddalena at teamaol.com (Art Maddalena) Date: Fri, 23 Sep 2016 13:26:50 -0400 Subject: [Bro] Monitoring a directory and running bro on the PCAPs Message-ID: Does anyone have experience using Bro to run its analysis on PCAPs being written to a directory in an automated fashion? Should a cron just be run at a lag using bro -r and script options? Thank you, -Art -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160923/5d9a55c6/attachment-0001.html From lvrfrc87 at gmail.com Sat Sep 24 01:02:11 2016 From: lvrfrc87 at gmail.com (Federico Olivieri) Date: Sat, 24 Sep 2016 09:02:11 +0100 Subject: [Bro] broctl status peers 0 / critical stack is running? In-Reply-To: <0d5ec122-6570-43ad-9f84-e67102a6e9ab@gmail.com> References: <0d5ec122-6570-43ad-9f84-e67102a6e9ab@gmail.com> Message-ID: Thanks Gary for the info! Are you able to provide me info about my second question as well? 2-How can I check if critical-stuck is "feeding" BRO? Federico 2016-09-23 17:30 GMT+01:00 Gary Faulkner : > The peer column is for when you operate Bro in cluster mode. It will show > how many workers are connected to the manager and proxies. Since you are in > stand-alone mode, this will not show any peers. > ~Gary > > > On 9/23/2016 10:59 AM, Federico Olivieri wrote: > > Hi everybody, > I'm new in BRO and first of all I would say...thank you for the great > product developed! It is such good and well done! Easy to use! I love it > the integration with critical stack! > > I have managed to set up and run BRO on my raspi and everything is ok. > Just a couple of questions: > > 1-Can someone explain me the meaning of Peer column? > > root at raspberrypi:~# broctl status > Getting process status ... > Getting peer status ... > Name Type Host Status Pid Peers Started > bro standalone localhost running 6695 0 23 Sep > 08:55:03 > > 2-How can I check if critical-stuck is "feeding" BRO? > > Thanks! > Federico > > > _______________________________________________ > Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160924/c995b385/attachment.html From hhoffman at ip-solutions.net Sat Sep 24 05:49:29 2016 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Sat, 24 Sep 2016 08:49:29 -0400 Subject: [Bro] bro-cut -c vs -C Message-ID: Hi Folks, I can't tell if I'm reading the man page for bro-cut incorrectly or if there's a bug. bro-cut -c and bro-cut -C seems to output the same headers. The man page states: -c Include the first format header block into the output. -C Include all format header blocks into the output. Can someone tell me what the difference should be? Cheers, Harry From dnthayer at illinois.edu Sat Sep 24 07:38:42 2016 From: dnthayer at illinois.edu (Daniel Thayer) Date: Sat, 24 Sep 2016 09:38:42 -0500 Subject: [Bro] bro-cut -c vs -C In-Reply-To: References: Message-ID: <2817f9b4-3883-bb4c-0563-88ac5e0c1023@illinois.edu> On 9/24/16 7:49 AM, Harry Hoffman wrote: > Hi Folks, > > I can't tell if I'm reading the man page for bro-cut incorrectly or if > there's a bug. > > bro-cut -c and bro-cut -C seems to output the same headers. The man page states: > > -c Include the first format header block into the output. > -C Include all format header blocks into the output. > > Can someone tell me what the difference should be? > > Cheers, > Harry The -C option is useful when bro-cut is reading more than one log file, because it allows you to see the boundaries between each log file. For example: gunzip -c conn.*.log.gz | bro-cut -C From jazoff at illinois.edu Sat Sep 24 20:38:17 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Sun, 25 Sep 2016 03:38:17 +0000 Subject: [Bro] bro-cut -c vs -C In-Reply-To: <2817f9b4-3883-bb4c-0563-88ac5e0c1023@illinois.edu> References: <2817f9b4-3883-bb4c-0563-88ac5e0c1023@illinois.edu> Message-ID: <6C0A38DF-0F7B-41FF-BE8A-06664016B34B@illinois.edu> > On Sep 24, 2016, at 10:38 AM, Daniel Thayer wrote: > > On 9/24/16 7:49 AM, Harry Hoffman wrote: >> Hi Folks, >> >> I can't tell if I'm reading the man page for bro-cut incorrectly or if >> there's a bug. >> >> bro-cut -c and bro-cut -C seems to output the same headers. The man page states: >> >> -c Include the first format header block into the output. >> -C Include all format header blocks into the output. >> >> Can someone tell me what the difference should be? >> >> Cheers, >> Harry > > > The -C option is useful when bro-cut is reading more than one log file, > because it allows you to see the boundaries between each log file. > > For example: > gunzip -c conn.*.log.gz | bro-cut -C -C is also needed if the columns are expected to change at any point.. i.e. cat conn.log dns.log |bro-cut -C uid id.orig_h query or, something like dumping log archives for a time period that includes a bro version upgrade that added/removed fields. Now that I really think about it, it would make the most sense for -C to only output a header block if there was a change from the previous one... and possibly -c should just do that too. Only outputting the first header block is possibly the wrong thing to do if the header block for the selected fields ever changes. -- - Justin Azoff From gfaulkner.nsm at gmail.com Sun Sep 25 10:07:39 2016 From: gfaulkner.nsm at gmail.com (Gary Faulkner) Date: Sun, 25 Sep 2016 12:07:39 -0500 Subject: [Bro] broctl status peers 0 / critical stack is running? In-Reply-To: References: <0d5ec122-6570-43ad-9f84-e67102a6e9ab@gmail.com> Message-ID: <96c519fb-b79e-acbd-afb9-77ee06072963@gmail.com> I haven't set up Critical Stack before, but my understanding is that if set up correctly you should be seeing an intel.log file being generated. There is an article over at Taosecurity that includes a link to a Google Doc with better details than I can provide. Link below: http://taosecurity.blogspot.com/2015/01/try-critical-stack-intel-client.html ~Gary On 9/24/2016 3:02 AM, Federico Olivieri wrote: > Thanks Gary for the info! Are you able to provide me info about my > second question as well? > > 2-How can I check if critical-stuck is "feeding" BRO? > > Federico > > 2016-09-23 17:30 GMT+01:00 Gary Faulkner >: > > The peer column is for when you operate Bro in cluster mode. It > will show how many workers are connected to the manager and > proxies. Since you are in stand-alone mode, this will not show any > peers. > > ~Gary > > > On 9/23/2016 10:59 AM, Federico Olivieri wrote: >> Hi everybody, >> I'm new in BRO and first of all I would say...thank you for the >> great product developed! It is such good and well done! Easy to >> use! I love it the integration with critical stack! >> >> I have managed to set up and run BRO on my raspi and everything >> is ok. Just a couple of questions: >> >> 1-Can someone explain me the meaning of Peer column? >> >> root at raspberrypi:~# broctl status >> Getting process status ... >> Getting peer status ... >> Name Type Host Status Pid Peers Started >> bro standalone localhost running 6695 0 23 >> Sep 08:55:03 >> >> 2-How can I check if critical-stuck is "feeding" BRO? >> >> Thanks! >> Federico >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160925/63813a1a/attachment.html From jedwards2728 at gmail.com Sun Sep 25 20:28:01 2016 From: jedwards2728 at gmail.com (John Edwards) Date: Mon, 26 Sep 2016 13:28:01 +1000 Subject: [Bro] Bro 2.4.1 documentation Message-ID: Hi all, I am reading through Bro's documentation for a variety of purposes, I am new to it and really want to understand the internals, the scripting language, scaling up for clustering for larger link monitoring etc. I find the websites layout not that good for reading as I am reading a book about any other open source project I read about. Other open source security projects I read about have PDFs versions of their documentation so people can print it out etc. Is the same thing available for Bro? Have copied all of the doco into a word document but cancelled that as formatting was ugly. The only mention of Bro in a book I have found is a couple pages long. I'd like the entire documentation available for whatever latest release but as PDF. Anyone else know where to find it? Or if it's even available? Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/ad11fed5/attachment.html From philosnef at gmail.com Mon Sep 26 05:26:31 2016 From: philosnef at gmail.com (erik clark) Date: Mon, 26 Sep 2016 08:26:31 -0400 Subject: [Bro] How to build Bro on RH 67 (instructions) Message-ID: Since RH67 does not support a c++11 compiler by default, you have to do several things to build the PF_RING plugin, and bro itself. These are the step by step instructions needed. 1. sudo rpm --import http://ftp.scientificlinux.org/linux/scientific/5x/x86_64/RPM-GPG-KEYs/RPM-GPG-KEY-cern 2. wget -O /etc/yum.repos.d/slc6-devtoolset.repo http://linuxsoft.cern.ch/cern/devtoolset/slc6-devtoolset.repo 3. sudo yum install devtoolset-2 (This is a LOT of packages, be prepared to wait a while. This deployed something like 300 packages to my system) 4. Pull bro 5. export "CMAKE_CXX_COMPILER=/opt/rh/devtoolset-2/root/usr/bin/g++" 6. sh configure (with what you need) 7. make && make install 8. cd aux/plugins/pf_ring/build 9. mv CMakeCache.txt CMakeCache.txt.out 10. cd CMakeFiles && mv 2.8.12.2 2.8.12.2.out 11. cd ../../ && sh configure --with-pfring=$yourpfringhere I was able to perform this repeatedly. You MUST compile all parts of this with the devtoolset, or you will get segfaults and all sorts of things. This means I had to build pfring, geoip pe_xor with the devtoolset before I could build bro. Note: Shamelessly stole two steps from https://gist.github.com/stephenturner/e3bc5cfacc2dc67eca8b for installing devtoolset-2. Erik -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/ff28830f/attachment.html From michalpurzynski1 at gmail.com Mon Sep 26 05:56:19 2016 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Mon, 26 Sep 2016 14:56:19 +0200 Subject: [Bro] How to build Bro on RH 67 (instructions) In-Reply-To: References: Message-ID: Excellent answer! Can we have that included in official bro documentation? Like it or not, RHEL 6 is not going anywhere for a while. Also shows how to build packages on any other old system, granted that you can get an new toolchain. > On 26 Sep 2016, at 14:26, erik clark wrote: > > Since RH67 does not support a c++11 compiler by default, you have to do several things to build the PF_RING plugin, and bro itself. These are the step by step instructions needed. > > > 1. sudo rpm --import http://ftp.scientificlinux.org/linux/scientific/5x/x86_64/RPM-GPG-KEYs/RPM-GPG-KEY-cern > > 2. wget -O /etc/yum.repos.d/slc6-devtoolset.repo http://linuxsoft.cern.ch/cern/devtoolset/slc6-devtoolset.repo > > 3. sudo yum install devtoolset-2 (This is a LOT of packages, be prepared to wait a while. This deployed something like 300 packages to my system) > > 4. Pull bro > > 5. export "CMAKE_CXX_COMPILER=/opt/rh/devtoolset-2/root/usr/bin/g++" > > 6. sh configure (with what you need) > > 7. make && make install > > 8. cd aux/plugins/pf_ring/build > > 9. mv CMakeCache.txt CMakeCache.txt.out > > 10. cd CMakeFiles && mv 2.8.12.2 2.8.12.2.out > > 11. cd ../../ && sh configure --with-pfring=$yourpfringhere > > > > I was able to perform this repeatedly. You MUST compile all parts of this with the devtoolset, or you will get segfaults and all sorts of things. This means I had to build pfring, geoip pe_xor with the devtoolset before I could build bro. > > Note: Shamelessly stole two steps from https://gist.github.com/stephenturner/e3bc5cfacc2dc67eca8b for installing devtoolset-2. > > > Erik > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/4f1c58e2/attachment-0001.html From philosnef at gmail.com Mon Sep 26 06:47:11 2016 From: philosnef at gmail.com (erik clark) Date: Mon, 26 Sep 2016 09:47:11 -0400 Subject: [Bro] problem with bro json log format Message-ID: So, I am not sure whatgs going on, but when I do: python -m json.tool < $somelog I get Extra data: line 2 column 1 - line 3 column 1 (char 507 - 1011) All I did was turn json format logging on in ascii writer conf. All of my bro logs cant seem to be parsed by json.tool.... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/3833bb60/attachment.html From jazoff at illinois.edu Mon Sep 26 06:51:37 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Mon, 26 Sep 2016 13:51:37 +0000 Subject: [Bro] problem with bro json log format In-Reply-To: References: Message-ID: <7D7DECA5-3416-4524-AD8F-178AD260998E@illinois.edu> > On Sep 26, 2016, at 9:47 AM, erik clark wrote: > > So, I am not sure whatgs going on, but when I do: > > python -m json.tool < $somelog > > I get > > Extra data: line 2 column 1 - line 3 column 1 (char 507 - 1011) > > All I did was turn json format logging on in ascii writer conf. All of my bro logs cant seem to be parsed by json.tool.... json.tool tries to read the entire log file as a single json record when it consists of one json record per line. Use jq instead: https://stedolan.github.io/jq/ -- - Justin Azoff From philosnef at gmail.com Mon Sep 26 06:57:47 2016 From: philosnef at gmail.com (erik clark) Date: Mon, 26 Sep 2016 09:57:47 -0400 Subject: [Bro] problem with bro json log format In-Reply-To: <7D7DECA5-3416-4524-AD8F-178AD260998E@illinois.edu> References: <7D7DECA5-3416-4524-AD8F-178AD260998E@illinois.edu> Message-ID: Yep, I had just gone down that route. :) I had mistakenly believed that json.tool did more than one record at once. Thanks for the fast response Justin! On Mon, Sep 26, 2016 at 9:51 AM, Azoff, Justin S wrote: > > On Sep 26, 2016, at 9:47 AM, erik clark wrote: > > > > So, I am not sure whatgs going on, but when I do: > > > > python -m json.tool < $somelog > > > > I get > > > > Extra data: line 2 column 1 - line 3 column 1 (char 507 - 1011) > > > > All I did was turn json format logging on in ascii writer conf. All of > my bro logs cant seem to be parsed by json.tool.... > > json.tool tries to read the entire log file as a single json record when > it consists of one json record per line. > > Use jq instead: https://stedolan.github.io/jq/ > > > > -- > - Justin Azoff > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/22027622/attachment.html From tgdesrochers at gmail.com Mon Sep 26 08:47:20 2016 From: tgdesrochers at gmail.com (tgdesrochers at gmail.com) Date: Mon, 26 Sep 2016 11:47:20 -0400 Subject: [Bro] broctl status peers 0 / critical stack is running? In-Reply-To: <96c519fb-b79e-acbd-afb9-77ee06072963@gmail.com> References: <0d5ec122-6570-43ad-9f84-e67102a6e9ab@gmail.com> <96c519fb-b79e-acbd-afb9-77ee06072963@gmail.com> Message-ID: <57e94309.4743370a.2fcb0.c866@mx.google.com> I believe if it is working correctly you will find the file ?master-public.bro.dat? inside the criticalstack install directory. The path to that file needs to be added to your __load__.bro in your /usr/local/bro/share/bro/intel/ directory. Then make sure you load the intel framework in your local.bro and you should be good to go. From: Gary Faulkner -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/38de9f54/attachment.html From philosnef at gmail.com Mon Sep 26 09:47:39 2016 From: philosnef at gmail.com (erik clark) Date: Mon, 26 Sep 2016 12:47:39 -0400 Subject: [Bro] broala pe_xor plugin compile issues Message-ID: Despite setting CMAKE_CXX_COMPILER to $pathtodevtoolset-2/g++, the configure script still erroneously fills in the cmake files. Specifically, CMAKE_CXX_COMPILER:FILEPATH=$pathtog++ I had to manually edit CMakeCache.txt and CMakeCXXCompiler.cmake as nothing supplied to configure as exported environment variables would get this to build properly. After doing this (and this is the _wrong_ way to "fix" this problem), the plugin built correctly and inserted itself into bro. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/d760a938/attachment-0001.html From alex.hope at shopify.com Mon Sep 26 10:08:39 2016 From: alex.hope at shopify.com (Alex Hope) Date: Mon, 26 Sep 2016 13:08:39 -0400 Subject: [Bro] Bro questions from a rookie Message-ID: Hi! I'm a rookie Bro developer doing an internship. My first task requires me to work with Bro to tidy up how we use Bro to monitor network traffic. I'm trying to use the new_connection event to act as a catch-all for all traffic that doesn't fall into more specific categories. I have three questions: 1. If there is a DNS connection, how do I access that part of the record? If c is the connection, do I simply use c$dns$query and call it a day? So far that hasn't worked for me. 2. In the event that I can't just use new_connection for everything and then filter my reporting from there, is there a generic "dns_reply" type of event or do I need to use dns_A_reply and dns_AAAA_reply and so on for all DNS replies? 3. If I end up running with the various DNS reply events *and* the new_connection event in order to capture "everything else," is there a built-in way to only execute one event response when multiple events are triggered? For example, if I get a DNS A reply, that'll trigger the dns_A_reply event as well as the new_connection event. I'd like to only handle that traffic in the dns_A_reply event and not bother executing the new_connection event. Short of setting up some sort of global "Has already been handled" flag, is there a built-in way to run an event ONLY IF no other events were triggered? Thanks, Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/eb8fbf10/attachment.html From ysrivas at ncsu.edu Mon Sep 26 13:01:23 2016 From: ysrivas at ncsu.edu (Yagyesh Srivastava) Date: Mon, 26 Sep 2016 16:01:23 -0400 Subject: [Bro] Newbie at bro, some questions Message-ID: Hi, I am very new to bro, i dont quite fully understand how traces work. What i need to do is generate some attack traffic to test the changes i am trying to make. I see there are some traces in bro, how do these work? As in how can i use those to test with bro? Also in the bro traces, i dont find the traffic for DOS attack and sql injection attack, can we find the traces for these somewhere else? Thanks and regards Yagyesh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/73990a3b/attachment.html From brot212 at googlemail.com Mon Sep 26 13:17:11 2016 From: brot212 at googlemail.com (Dane Wullen) Date: Mon, 26 Sep 2016 22:17:11 +0200 Subject: [Bro] Newbie at bro, some questions In-Reply-To: References: Message-ID: Hi there, you can read in trace files via a command shell: bro -r Bro will then generate log files in the directory you run the command. To test a bro-script with a trace file you could run the command bro -r Cheers Am 26.09.2016 um 22:01 schrieb Yagyesh Srivastava: > Hi, > > > I am very new to bro, i dont quite fully understand how traces work. > What i need to do is generate some attack traffic to test the changes > i am trying to make. I see there are some traces in bro, how do these > work? > As in how can i use those to test with bro? > > Also in the bro traces, i dont find the traffic for DOS attack and sql > injection attack, can we find the traces for these somewhere else? > > Thanks and regards > Yagyesh > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/aee2ba59/attachment.html From ysrivas at ncsu.edu Mon Sep 26 15:08:36 2016 From: ysrivas at ncsu.edu (Yagyesh Srivastava) Date: Mon, 26 Sep 2016 18:08:36 -0400 Subject: [Bro] Newbie at bro, some questions In-Reply-To: References: Message-ID: That's great thanks. Could anyone please let me know, what if we want to test some attack traffic which is not mentioned in the traces. How do we do that? Do we have some more traces present which don't come to bro directory by default? Because I feel SQL Injection and HTTP brute force are common attack traffic and should ideally be present in the traces. Regards On Sep 26, 2016 4:17 PM, "Dane Wullen" wrote: > Hi there, > > you can read in trace files via a command shell: > > bro -r > > Bro will then generate log files in the directory you run the command. > > To test a bro-script with a trace file you could run the command > > bro -r > > Cheers > Am 26.09.2016 um 22:01 schrieb Yagyesh Srivastava: > > Hi, > > > I am very new to bro, i dont quite fully understand how traces work. > What i need to do is generate some attack traffic to test the changes i am > trying to make. I see there are some traces in bro, how do these work? > As in how can i use those to test with bro? > > Also in the bro traces, i dont find the traffic for DOS attack and sql > injection attack, can we find the traces for these somewhere else? > > Thanks and regards > Yagyesh > > > _______________________________________________ > Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/3e3c0111/attachment.html From philosnef at gmail.com Tue Sep 27 06:46:37 2016 From: philosnef at gmail.com (erik clark) Date: Tue, 27 Sep 2016 09:46:37 -0400 Subject: [Bro] Fox-IT smb-ransomware bro script Message-ID: Has anyone had any success with Fox-ITs smb-ransomware script? See: https://github.com/fox-it/bro-scripts/blob/master/smb-ransomware/smb-ransomware.bro I am getting: error in ./smb-ransomware.bro, line 80: no such field in record (FoxCryptoRansom::c$smb_state) error in ./smb-ransomware.bro, line 84: no such field in record (FoxCryptoRansom::c$smb_state) error in ./smb-ransomware.bro, line 84: unknown identifier SMB::FILE_WRITE, at or near "SMB::FILE_WRITE" I didn't want to open a github issue if there is a simple fix that I am unaware of. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/4dd9a634/attachment.html From seth at icir.org Tue Sep 27 06:56:14 2016 From: seth at icir.org (Seth Hall) Date: Tue, 27 Sep 2016 09:56:14 -0400 Subject: [Bro] Bro questions from a rookie In-Reply-To: References: Message-ID: <4D53A81A-108A-4030-A288-81831D1CEAE9@icir.org> > On Sep 26, 2016, at 1:08 PM, Alex Hope wrote: > > Hi! I'm a rookie Bro developer doing an internship. My first task requires me to work with Bro to tidy up how we use Bro to monitor network traffic. I'm trying to use the new_connection event to act as a catch-all for all traffic that doesn't fall into more specific categories. I have three questions: Great! > 1. If there is a DNS connection, how do I access that part of the record? If c is the connection, do I simply use > c$dns$query > and call it a day? So far that hasn't worked for me. The first thing to know is that c$dns and most of the other protocol specific fields in the connection record are just where logs are stored before being written out. The other thing is to keep in mind that the log record is built out over based based on seeing different messages. In the case of DNS, it fills out some fields from the request and some fields from the response. If you attempt to print c$dns$query at the wrong point in time then it's very possible that the field you're interested in isn't available yet. > 2. In the event that I can't just use new_connection for everything and then filter my reporting from there, is there a generic "dns_reply" type of event or do I need to use dns_A_reply and dns_AAAA_reply and so on for all DNS replies? Ah! This makes your previous question make more sense. If you try to print c$dns$query in new_connection, it's never going to have anything in it because no query or responses have been seen yet (technically one would have been seen since there's no connection set-up phase with UDP but we'll ignore that for now). With DNS, you can't use the connection_state_remove event either because you frequently see a lot of requests and responses on a single UDP "connection". > 3. If I end up running with the various DNS reply events *and* the new_connection event in order to capture "everything else," is there a built-in way to only execute one event response when multiple events are triggered? For example, if I get a DNS A reply, that'll trigger the dns_A_reply event as well as the new_connection event. I'd like to only handle that traffic in the dns_A_reply event and not bother executing the new_connection event. Short of setting up some sort of global "Has already been handled" flag, is there a built-in way to run an event ONLY IF no other events were triggered? If you're just looking to look at the logs as they're being written you can use the logging event. Here's the prototype you'd want to handle... event DNS::log_dns(log: DNS::Info) { # Your code here! } .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From philosnef at gmail.com Tue Sep 27 07:05:58 2016 From: philosnef at gmail.com (erik clark) Date: Tue, 27 Sep 2016 10:05:58 -0400 Subject: [Bro] Newbie at bro, some questions Message-ID: Just point a free scan engine like Nessus at a site running a web server and run tcpdump locally on that box, or just have bro listen off a tap port that the web server runs through. I am really not understanding why pcap files are referred to as traces, since its just pcap. Anyway, just run tcpdump on your webserver, point Metasploit or Nessus at it, and then read that traffic into bro elsewhere. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/4bcf94da/attachment-0001.html From vladg at illinois.edu Tue Sep 27 07:55:01 2016 From: vladg at illinois.edu (Vlad Grigorescu) Date: Tue, 27 Sep 2016 09:55:01 -0500 Subject: [Bro] Fox-IT smb-ransomware bro script In-Reply-To: References: Message-ID: What version of Bro are you running. This would only work on the Bro 2.5 beta, or if you're using the SMB branch. erik clark writes: > Has anyone had any success with Fox-ITs smb-ransomware script? > > See: > https://github.com/fox-it/bro-scripts/blob/master/smb-ransomware/smb-ransomware.bro > > I am getting: > > error in ./smb-ransomware.bro, line 80: no such field in record > (FoxCryptoRansom::c$smb_state) > error in ./smb-ransomware.bro, line 84: no such field in record > (FoxCryptoRansom::c$smb_state) > error in ./smb-ransomware.bro, line 84: unknown identifier SMB::FILE_WRITE, > at or near "SMB::FILE_WRITE" > > I didn't want to open a github issue if there is a simple fix that I am > unaware of. Thanks! > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 800 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/68df9a1a/attachment.bin From philosnef at gmail.com Tue Sep 27 07:56:55 2016 From: philosnef at gmail.com (erik clark) Date: Tue, 27 Sep 2016 10:56:55 -0400 Subject: [Bro] Fox-IT smb-ransomware bro script In-Reply-To: References: Message-ID: 2.5. I know smb is working, as I am getting smb_files and ntlm logs. On Tue, Sep 27, 2016 at 10:55 AM, Vlad Grigorescu wrote: > What version of Bro are you running. This would only work on the Bro 2.5 > beta, or if you're using the SMB branch. > > erik clark writes: > > > Has anyone had any success with Fox-ITs smb-ransomware script? > > > > See: > > https://github.com/fox-it/bro-scripts/blob/master/smb- > ransomware/smb-ransomware.bro > > > > I am getting: > > > > error in ./smb-ransomware.bro, line 80: no such field in record > > (FoxCryptoRansom::c$smb_state) > > error in ./smb-ransomware.bro, line 84: no such field in record > > (FoxCryptoRansom::c$smb_state) > > error in ./smb-ransomware.bro, line 84: unknown identifier > SMB::FILE_WRITE, > > at or near "SMB::FILE_WRITE" > > > > I didn't want to open a github issue if there is a simple fix that I am > > unaware of. Thanks! > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/60f68001/attachment.html From philosnef at gmail.com Tue Sep 27 08:09:45 2016 From: philosnef at gmail.com (erik clark) Date: Tue, 27 Sep 2016 11:09:45 -0400 Subject: [Bro] Fox-IT smb-ransomware bro script In-Reply-To: References: Message-ID: Aha! Line 2 says: @load base/protocols/smb I added @load policy/protocols/smb and it worked. Any idea why my smb stuff is in policy/protocols and not base/protocols? On Tue, Sep 27, 2016 at 10:56 AM, erik clark wrote: > 2.5. I know smb is working, as I am getting smb_files and ntlm logs. > > On Tue, Sep 27, 2016 at 10:55 AM, Vlad Grigorescu > wrote: > >> What version of Bro are you running. This would only work on the Bro 2.5 >> beta, or if you're using the SMB branch. >> >> erik clark writes: >> >> > Has anyone had any success with Fox-ITs smb-ransomware script? >> > >> > See: >> > https://github.com/fox-it/bro-scripts/blob/master/smb-ransom >> ware/smb-ransomware.bro >> > >> > I am getting: >> > >> > error in ./smb-ransomware.bro, line 80: no such field in record >> > (FoxCryptoRansom::c$smb_state) >> > error in ./smb-ransomware.bro, line 84: no such field in record >> > (FoxCryptoRansom::c$smb_state) >> > error in ./smb-ransomware.bro, line 84: unknown identifier >> SMB::FILE_WRITE, >> > at or near "SMB::FILE_WRITE" >> > >> > I didn't want to open a github issue if there is a simple fix that I am >> > unaware of. Thanks! >> > _______________________________________________ >> > Bro mailing list >> > bro at bro-ids.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/174144bd/attachment.html From liam.randall at gmail.com Tue Sep 27 08:22:27 2016 From: liam.randall at gmail.com (Liam Randall) Date: Tue, 27 Sep 2016 11:22:27 -0400 Subject: [Bro] Fox-IT smb-ransomware bro script In-Reply-To: References: Message-ID: base is loaded by default policy needs to be loaded as a matter of your organizations policy On Tue, Sep 27, 2016 at 11:09 AM, erik clark wrote: > Aha! Line 2 says: > > @load base/protocols/smb > > I added > > @load policy/protocols/smb > > and it worked. Any idea why my smb stuff is in policy/protocols and not > base/protocols? > > On Tue, Sep 27, 2016 at 10:56 AM, erik clark wrote: > >> 2.5. I know smb is working, as I am getting smb_files and ntlm logs. >> >> On Tue, Sep 27, 2016 at 10:55 AM, Vlad Grigorescu >> wrote: >> >>> What version of Bro are you running. This would only work on the Bro 2.5 >>> beta, or if you're using the SMB branch. >>> >>> erik clark writes: >>> >>> > Has anyone had any success with Fox-ITs smb-ransomware script? >>> > >>> > See: >>> > https://github.com/fox-it/bro-scripts/blob/master/smb-ransom >>> ware/smb-ransomware.bro >>> > >>> > I am getting: >>> > >>> > error in ./smb-ransomware.bro, line 80: no such field in record >>> > (FoxCryptoRansom::c$smb_state) >>> > error in ./smb-ransomware.bro, line 84: no such field in record >>> > (FoxCryptoRansom::c$smb_state) >>> > error in ./smb-ransomware.bro, line 84: unknown identifier >>> SMB::FILE_WRITE, >>> > at or near "SMB::FILE_WRITE" >>> > >>> > I didn't want to open a github issue if there is a simple fix that I am >>> > unaware of. Thanks! >>> > _______________________________________________ >>> > Bro mailing list >>> > bro at bro-ids.org >>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/4f65faa6/attachment.html From seth at icir.org Tue Sep 27 11:18:54 2016 From: seth at icir.org (Seth Hall) Date: Tue, 27 Sep 2016 14:18:54 -0400 Subject: [Bro] Fox-IT smb-ransomware bro script In-Reply-To: References: Message-ID: > On Sep 27, 2016, at 11:09 AM, erik clark wrote: > > and it worked. Any idea why my smb stuff is in policy/protocols and not base/protocols? We decided to place the code that enables the SMB analyzer into policy/protocols for the 2.5 release because it's a lot of code and we *believe* that it should work well, but we didn't feel comfortable turning it on by default like the other analyzers because of the amount of new code. I feel pretty confident that we will be moving it to base for the 2.6 release, but it is what it is for now. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From franky.meier.1 at gmx.de Wed Sep 28 01:46:36 2016 From: franky.meier.1 at gmx.de (Frank Meier) Date: Wed, 28 Sep 2016 10:46:36 +0200 Subject: [Bro] problem with bro json log format In-Reply-To: <7D7DECA5-3416-4524-AD8F-178AD260998E@illinois.edu> References: <7D7DECA5-3416-4524-AD8F-178AD260998E@illinois.edu> Message-ID: <20160928104636.677a2fb5@NB181106> Hi, On Mon, 26 Sep 2016 13:51:37 +0000 "Azoff, Justin S" wrote: > > On Sep 26, 2016, at 9:47 AM, erik clark wrote: > > > > So, I am not sure whatgs going on, but when I do: > > > > python -m json.tool < $somelog > > > > I get > > > > Extra data: line 2 column 1 - line 3 column 1 (char 507 - 1011) > > > > All I did was turn json format logging on in ascii writer conf. All > > of my bro logs cant seem to be parsed by json.tool.... > > json.tool tries to read the entire log file as a single json record > when it consists of one json record per line. > > Use jq instead: https://stedolan.github.io/jq/ > > I would propose an alternative sticking to base python: import json with open('conn.log') as conn: for line in conn: print(json.loads(line)) or bash: for line in $(cat conn.log); do echo $line | python -m json.tool; done Franky From lvrfrc87 at gmail.com Wed Sep 28 04:05:39 2016 From: lvrfrc87 at gmail.com (Federico Olivieri) Date: Wed, 28 Sep 2016 12:05:39 +0100 Subject: [Bro] broctl status peers 0 / critical stack is running? In-Reply-To: <57e94309.4743370a.2fcb0.c866@mx.google.com> References: <0d5ec122-6570-43ad-9f84-e67102a6e9ab@gmail.com> <96c519fb-b79e-acbd-afb9-77ee06072963@gmail.com> <57e94309.4743370a.2fcb0.c866@mx.google.com> Message-ID: Thanks to everyone for the answers. So, the files are there *root at raspberrypi:/opt/critical-stack/frameworks/intel# tail master-public.bro.dat* 177.78.208.98 Intel::ADDR from http://lists.blocklist.de/lists/all.txt via intel.criticalstack.com F 8yhn3hlvcc.centade.com Intel::DOMAIN from http://hosts-file.net/emd.txt via intel.criticalstack.com F 0rx.ru Intel::DOMAIN from http://hosts-file.net/pha.txt via intel.criticalstack.com F 5.167.64.14 Intel::ADDR from http://lists.blocklist.de/lists/all.txt via intel.criticalstack.com F jjl2au.3v2b7sh2.com Intel::DOMAIN from http://hosts-file.net/emd.txt via intel.criticalstack.com F nl.secure-update-get.org Intel::DOMAIN from http://hosts-file.net/emd.txt via intel.criticalstack.com F sekaminerva.com Intel::DOMAIN from http://hosts-file.net/psh.txt via intel.criticalstack.com F www.apple-sd-icloud.com Intel::DOMAIN from http://hosts-file.net/psh.txt via intel.criticalstack.com F gracemi.com Intel::DOMAIN from http://hosts-file.net/emd.txt via intel.criticalstack.com F bitminemart.com Intel::DOMAIN from http://hosts-file.net/fsa.txt via intel.criticalstack.com F *root at raspberrypi:/opt/critical-stack/frameworks/intel# more __load__.bro * @load ./feeds.bro *root at raspberrypi:/opt/critical-stack/frameworks/intel# more feeds.bro * @load base/frameworks/intel @load frameworks/intel/seen @load frameworks/intel/do_notice redef Intel::read_files += { "/opt/critical-stack/frameworks/intel/master-public.bro.dat" }; Then, I have the files under file under these directories (slightly different from what you suggested but it should be good anyway) /opt/bro/share/bro/base/frameworks/intel /opt/bro/share/bro/base/frameworks/intel/cluster.bro /opt/bro/share/bro/base/frameworks/intel/input.bro /opt/bro/share/bro/base/frameworks/intel/__load__.bro /opt/bro/share/bro/base/frameworks/intel/main.bro /opt/bro/share/bro/policy/frameworks/intel /opt/bro/share/bro/policy/frameworks/intel/do_notice.bro /opt/bro/share/bro/policy/frameworks/intel/seen /opt/bro/share/bro/policy/frameworks/intel/seen/conn-established.bro /opt/bro/share/bro/policy/frameworks/intel/seen/dns.bro /opt/bro/share/bro/policy/frameworks/intel/seen/file-hashes.bro /opt/bro/share/bro/policy/frameworks/intel/seen/file-names.bro /opt/bro/share/bro/policy/frameworks/intel/seen/http-headers.bro /opt/bro/share/bro/policy/frameworks/intel/seen/http-url.bro /opt/bro/share/bro/policy/frameworks/intel/seen/__load__.bro /opt/bro/share/bro/policy/frameworks/intel/seen/pubkey-hashes.bro /opt/bro/share/bro/policy/frameworks/intel/seen/smtp.bro /opt/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro /opt/bro/share/bro/policy/frameworks/intel/seen/ssl.bro /opt/bro/share/bro/policy/frameworks/intel/seen/where-locations.bro /opt/bro/share/bro/policy/frameworks/intel/seen/x509.bro /opt/bro/share/bro/policy/integration/collective-intel /opt/bro/share/bro/policy/integration/collective-intel/__load__.bro /opt/bro/share/bro/policy/integration/collective-intel/main.bro Can you please confirm if everything is right from your point of view/ I have tried to use Tor as indicated from the guide but I couldn't see any intel.log file under BRO directory Federico 2016-09-26 16:47 GMT+01:00 : > I believe if it is working correctly you will find the file > ?master-public.bro.dat? inside the criticalstack install directory. The > path to that file needs to be added to your __load__.bro in your > /usr/local/bro/share/bro/intel/ directory. Then make sure you load the > intel framework in your local.bro and you should be good to go. > > > > > > > > *From: *Gary Faulkner > *Sent: *Sunday, September 25, 2016 1:22 PM > *To: *Federico Olivieri > *Cc: *bro at bro.org > *Subject: *Re: [Bro] broctl status peers 0 / critical stack is running? > > > > I haven't set up Critical Stack before, but my understanding is that if > set up correctly you should be seeing an intel.log file being generated. > There is an article over at Taosecurity that includes a link to a Google > Doc with better details than I can provide. Link below: > > http://taosecurity.blogspot.com/2015/01/try-critical- > stack-intel-client.html > > ~Gary > > > > On 9/24/2016 3:02 AM, Federico Olivieri wrote: > > Thanks Gary for the info! Are you able to provide me info about my second > question as well? > > > > 2-How can I check if critical-stuck is "feeding" BRO? > > > > Federico > > > > 2016-09-23 17:30 GMT+01:00 Gary Faulkner : > > The peer column is for when you operate Bro in cluster mode. It will show > how many workers are connected to the manager and proxies. Since you are in > stand-alone mode, this will not show any peers. > > ~Gary > > > > On 9/23/2016 10:59 AM, Federico Olivieri wrote: > > Hi everybody, > > I'm new in BRO and first of all I would say...thank you for the great > product developed! It is such good and well done! Easy to use! I love it > the integration with critical stack! > > > > I have managed to set up and run BRO on my raspi and everything is ok. > Just a couple of questions: > > > > 1-Can someone explain me the meaning of Peer column? > > > > root at raspberrypi:~# broctl status > > Getting process status ... > > Getting peer status ... > > Name Type Host Status Pid Peers Started > > bro standalone localhost running 6695 0 23 Sep > 08:55:03 > > > > 2-How can I check if critical-stuck is "feeding" BRO? > > Thanks! > Federico > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/92a3ffca/attachment.html From jazoff at illinois.edu Wed Sep 28 06:38:47 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Wed, 28 Sep 2016 13:38:47 +0000 Subject: [Bro] problem with bro json log format In-Reply-To: <20160928104636.677a2fb5@NB181106> References: <7D7DECA5-3416-4524-AD8F-178AD260998E@illinois.edu> <20160928104636.677a2fb5@NB181106> Message-ID: <87E6F062-C5B4-4C0D-8965-880F06F3D9E9@illinois.edu> > On Sep 28, 2016, at 4:46 AM, Frank Meier wrote: > > I would propose an alternative sticking to base python: > > import json > with open('conn.log') as conn: > for line in conn: > print(json.loads(line)) > This would be closer to what jq does by default: import json import pprint import sys for line in sys.stdin: pprint.pprint(json.loads(line)) > or bash: > > for line in $(cat conn.log); do echo $line | python -m json.tool; done $(cat conn.log) will try to expand to the entire contents of the conn log and blow up.. while read line; do echo $line | python -m json.tool;done < conn.log would work, but since it runs python for each log line it won't be very fast :-) -- - Justin Azoff From philosnef at gmail.com Wed Sep 28 10:50:19 2016 From: philosnef at gmail.com (erik clark) Date: Wed, 28 Sep 2016 13:50:19 -0400 Subject: [Bro] files.log Message-ID: 98% of all entries in our files.log are null values. Is this to be expected? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/6f80f9c1/attachment.html From sebclaut at gmail.com Wed Sep 28 11:17:31 2016 From: sebclaut at gmail.com (clautos) Date: Wed, 28 Sep 2016 20:17:31 +0200 Subject: [Bro] Newbie at bro, some questions In-Reply-To: References: Message-ID: Btw if you want to test your config add local after the bro -r tracefile. You can also use tcpreplay and send the pcap to your listening interface. Bro does not work as a classic IDS that will send an alert, bro, as far as I know, will log the connexions and maybe send a notice if there is a script telling it to do so but it's not a signature IDS like a Snort. 2016-09-27 0:08 GMT+02:00 Yagyesh Srivastava : > That's great thanks. > Could anyone please let me know, what if we want to test some attack > traffic which is not mentioned in the traces. > How do we do that? > Do we have some more traces present which don't come to bro directory by > default? > Because I feel SQL Injection and HTTP brute force are common attack > traffic and should ideally be present in the traces. > > Regards > > On Sep 26, 2016 4:17 PM, "Dane Wullen" wrote: > >> Hi there, >> >> you can read in trace files via a command shell: >> >> bro -r >> >> Bro will then generate log files in the directory you run the command. >> >> To test a bro-script with a trace file you could run the command >> >> bro -r >> >> Cheers >> Am 26.09.2016 um 22:01 schrieb Yagyesh Srivastava: >> >> Hi, >> >> >> I am very new to bro, i dont quite fully understand how traces work. >> What i need to do is generate some attack traffic to test the changes i >> am trying to make. I see there are some traces in bro, how do these work? >> As in how can i use those to test with bro? >> >> Also in the bro traces, i dont find the traffic for DOS attack and sql >> injection attack, can we find the traces for these somewhere else? >> >> Thanks and regards >> Yagyesh >> >> >> _______________________________________________ >> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> >> > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/aae784a9/attachment.html From hovsep.sanjay.levi at gmail.com Wed Sep 28 11:48:33 2016 From: hovsep.sanjay.levi at gmail.com (Hovsep Levi) Date: Wed, 28 Sep 2016 18:48:33 +0000 Subject: [Bro] cluster manager crash In-Reply-To: References: Message-ID: Bowen, This is what I call an architecture limitation of Bro; it's well known but not really formally acknowledged, you can read the archives and perceive. if you use faster CPUs it will mask the problem by using less workers (in theory). I'm not sure where the ideal worker threshold is and it's relation to events per second. Some people avoid this issue by segmenting the cluster per server; you lose some functionality but at least your cluster runs without incident. (mostly). Example: a four server bro cluster becomes four bro clusters, each running it's own manager and writing to local disk. If you're just using Bro as a network recorder this is a fairly even trade off. I've never had a day where Bro didn't crash due to memory exhaustion and have to perform full restarts once per hour to prevent manager crashes. The only way to fix it is to become a Bro developer. :> Regards, Hovsep On Wed, Sep 7, 2016 at 1:44 PM, Bowen Li wrote: > Hi all, > I have an issue about cluster manager crash when lots of log event > send to it. > I set up a bro cluster on my server, the cluster have 32 workers and > 1 proxy and handle about 5Gb/s. After run about one and a half hour, the > cluster no longer produces logs, but workers still extracts files. So it > seems that the manager was crashed. > Is there any possibility that the manager doesn't work anymore when > workers send lots of log event? If so, what`s the limit of the log event? > Or maybe the issue won`t happen if I run a real cluster on several servers? > By the way, if I want to handle 10Gb/s, how much memory should I leave > for each worker ? If I do memory usage restrictions, will it affect > the performance of the cluster? > Any insight would be helpful. > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/d5441039/attachment.html From asharma at lbl.gov Wed Sep 28 11:51:30 2016 From: asharma at lbl.gov (Aashish Sharma) Date: Wed, 28 Sep 2016 11:51:30 -0700 Subject: [Bro] Newbie at bro, some questions In-Reply-To: References: Message-ID: <20160928185130.GC4988@mac-4.local> On Mon, Sep 26, 2016 at 06:08:36PM -0400, Yagyesh Srivastava wrote: > That's great thanks. > Could anyone please let me know, what if we want to test some attack > traffic which is not mentioned in the traces. You generate your own traces using tcpdump. > How do we do that? Use tcpdump to capture what ever traffic you want to try with bro. You might need to generate that kind of traffic. checkout tcpdump and wireshark. > Do we have some more traces present which don't come to bro directory by > default? YOu can Google for traces/pcaps. > Because I feel SQL Injection and HTTP brute force are common attack traffic > and should ideally be present in the traces. Ideally! May be you can generate those and contribute back to the community. Thanks, Aashish > > Regards > > On Sep 26, 2016 4:17 PM, "Dane Wullen" wrote: > > > Hi there, > > > > you can read in trace files via a command shell: > > > > bro -r > > > > Bro will then generate log files in the directory you run the command. > > > > To test a bro-script with a trace file you could run the command > > > > bro -r > > > > Cheers > > Am 26.09.2016 um 22:01 schrieb Yagyesh Srivastava: > > > > Hi, > > > > > > I am very new to bro, i dont quite fully understand how traces work. > > What i need to do is generate some attack traffic to test the changes i am > > trying to make. I see there are some traces in bro, how do these work? > > As in how can i use those to test with bro? > > > > Also in the bro traces, i dont find the traffic for DOS attack and sql > > injection attack, can we find the traces for these somewhere else? > > > > Thanks and regards > > Yagyesh > > > > > > _______________________________________________ > > Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jazoff at illinois.edu Wed Sep 28 12:04:35 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Wed, 28 Sep 2016 19:04:35 +0000 Subject: [Bro] cluster manager crash In-Reply-To: References: Message-ID: <475F7121-F31E-4687-8CAC-339539A55A92@illinois.edu> > On Sep 28, 2016, at 2:48 PM, Hovsep Levi wrote: > > I've never had a day where Bro didn't crash due to memory exhaustion and have to perform full restarts once per hour to prevent manager crashes. The only way to fix it is to become a Bro developer. :> This is not normal, but is probably due to sumstats having issues in your environment. If you comment out these 2 lines from local.bro does everything run better? # @load misc/scan # @load misc/detect-traceroute -- - Justin Azoff From hovsep.sanjay.levi at gmail.com Wed Sep 28 12:27:14 2016 From: hovsep.sanjay.levi at gmail.com (Hovsep Levi) Date: Wed, 28 Sep 2016 19:27:14 +0000 Subject: [Bro] cluster manager crash In-Reply-To: <475F7121-F31E-4687-8CAC-339539A55A92@illinois.edu> References: <475F7121-F31E-4687-8CAC-339539A55A92@illinois.edu> Message-ID: On Wed, Sep 28, 2016 at 7:04 PM, Azoff, Justin S wrote: > If you comment out these 2 lines from local.bro does everything run better? > > # @load misc/scan > # @load misc/detect-traceroute > > I will try, thanks for the suggestion. Also looking forward to the 2.5 logger node option. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/b96eeab2/attachment.html From dnj0496 at gmail.com Wed Sep 28 12:36:13 2016 From: dnj0496 at gmail.com (Dk Jack) Date: Wed, 28 Sep 2016 12:36:13 -0700 Subject: [Bro] load balancing question. Message-ID: Hi, Does bro handle the case where I sniffing from two interfaces I1 and I2, and I1 sees the client side traffic and I2 see the server side traffic? If this is supported, does the scenario of more than two interfaces also work? Thanks. Dk. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/2e9735b2/attachment.html From jlay at slave-tothe-box.net Wed Sep 28 12:51:17 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 28 Sep 2016 13:51:17 -0600 Subject: [Bro] Quick question on conn tracking Message-ID: <08a4bcde84447741decca463ffd2cd50@localhost> Hey all, So I'm getting bro and elasticsearch going, with one of the goals of finding flows with no service field. That being said I am seeing that long session, at least I THINK that's what I'm seeing, appear to be counted twice. From conn.log: 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp ssl 0.214346 460 170 S1 T F 0 ShADad 8 884 7 542 (empty) - 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp - 0.016678 31 0 RSTRH T F 0 fDrAr 2 135 3 132 (empty) - I captured the data and I'm enclosing the pcap. Basically, ssl connection is established at 12:29:39 and is open until Facebook gets annoyed and FIN-ACK's the session at 12:44:39 (now we know they time out at exactly 15 minutes). However why does that show as entries as above? Thanks for any insight. James -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 3408 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/b74ae04c/attachment.obj From daniel.guerra69 at gmail.com Wed Sep 28 15:25:52 2016 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Thu, 29 Sep 2016 00:25:52 +0200 Subject: [Bro] Quick question on conn tracking In-Reply-To: <08a4bcde84447741decca463ffd2cd50@localhost> References: <08a4bcde84447741decca463ffd2cd50@localhost> Message-ID: <51EF229D-D9DC-477E-99F1-81D36E01CBB5@gmail.com> I get the same in elasticsearch. But its got nothing to do with it. Bro seems to split the socket because of the time inbetween the activity. You can avoid this by longer timeouts. It would be better to create a script that keeps track of all ssl connections in memory/broker. I had to convert your dump to tcpdump in order to read it in bro (git) > On 28 Sep 2016, at 21:51, James Lay wrote: > > Hey all, > > So I'm getting bro and elasticsearch going, with one of the goals of finding flows with no service field. That being said I am seeing that long session, at least I THINK that's what I'm seeing, appear to be counted twice. From conn.log: > > 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp ssl 0.214346 460 170 S1 T F 0 ShADad 8 884 7 542 (empty) - > > 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp - 0.016678 31 0 RSTRH T F 0 fDrAr 2 135 3 132 (empty) - > > I captured the data and I'm enclosing the pcap. Basically, ssl connection is established at 12:29:39 and is open until Facebook gets annoyed and FIN-ACK's the session at 12:44:39 (now we know they time out at exactly 15 minutes). However why does that show as entries as above? Thanks for any insight. > > James<192.168.1.101.pcapng>_______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jlay at slave-tothe-box.net Wed Sep 28 15:28:46 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 28 Sep 2016 16:28:46 -0600 Subject: [Bro] Quick question on conn tracking In-Reply-To: <51EF229D-D9DC-477E-99F1-81D36E01CBB5@gmail.com> References: <08a4bcde84447741decca463ffd2cd50@localhost> <51EF229D-D9DC-477E-99F1-81D36E01CBB5@gmail.com> Message-ID: <60c09d9bb5cfb9a16804917a1152b9b1@localhost> On 2016-09-28 16:25, Daniel Guerra wrote: > I get the same in elasticsearch. > But its got nothing to do with it. > > Bro seems to split the socket because > of the time inbetween the activity. > > You can avoid this by longer timeouts. > > It would be better to create a script that > keeps track of all ssl connections in > memory/broker. > > I had to convert your dump to tcpdump > in order to read it in bro (git) > > >> On 28 Sep 2016, at 21:51, James Lay wrote: >> >> Hey all, >> >> So I'm getting bro and elasticsearch going, with one of the goals of >> finding flows with no service field. That being said I am seeing that >> long session, at least I THINK that's what I'm seeing, appear to be >> counted twice. From conn.log: >> >> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 >> tcp ssl 0.214346 460 170 S1 T F >> 0 ShADad 8 884 7 542 (empty) - >> >> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 >> tcp - 0.016678 31 0 RSTRH T F >> 0 fDrAr 2 135 3 132 (empty) - >> >> I captured the data and I'm enclosing the pcap. Basically, ssl >> connection is established at 12:29:39 and is open until Facebook gets >> annoyed and FIN-ACK's the session at 12:44:39 (now we know they time >> out at exactly 15 minutes). However why does that show as entries as >> above? Thanks for any insight. >> >> James Thanks Danial. Is there a way to tell bro to have a longer timeout? Thank you. James From daniel.guerra69 at gmail.com Wed Sep 28 15:40:35 2016 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Thu, 29 Sep 2016 00:40:35 +0200 Subject: [Bro] Quick question on conn tracking In-Reply-To: <60c09d9bb5cfb9a16804917a1152b9b1@localhost> References: <08a4bcde84447741decca463ffd2cd50@localhost> <51EF229D-D9DC-477E-99F1-81D36E01CBB5@gmail.com> <60c09d9bb5cfb9a16804917a1152b9b1@localhost> Message-ID: /usr/local/bro/share/bro/base/init-bare.bro ## If a TCP connection is inactive, time it out after this interval. If 0 secs, ## then don't time it out. ## ## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout const tcp_inactivity_timeout = 5 min &redef; ## If a UDP flow is inactive, time it out after this interval. If 0 secs, then ## don't time it out. ## ## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout const udp_inactivity_timeout = 1 min &redef; ## If an ICMP flow is inactive, time it out after this interval. If 0 secs, then ## don't time it out. ## ## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout const icmp_inactivity_timeout = 1 min &redef; > On 29 Sep 2016, at 00:28, James Lay wrote: > > On 2016-09-28 16:25, Daniel Guerra wrote: >> I get the same in elasticsearch. >> But its got nothing to do with it. >> >> Bro seems to split the socket because >> of the time inbetween the activity. >> >> You can avoid this by longer timeouts. >> >> It would be better to create a script that >> keeps track of all ssl connections in >> memory/broker. >> >> I had to convert your dump to tcpdump >> in order to read it in bro (git) >> >> >>> On 28 Sep 2016, at 21:51, James Lay wrote: >>> >>> Hey all, >>> >>> So I'm getting bro and elasticsearch going, with one of the goals of >>> finding flows with no service field. That being said I am seeing that >>> long session, at least I THINK that's what I'm seeing, appear to be >>> counted twice. From conn.log: >>> >>> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 >>> tcp ssl 0.214346 460 170 S1 T F >>> 0 ShADad 8 884 7 542 (empty) - >>> >>> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 >>> tcp - 0.016678 31 0 RSTRH T F >>> 0 fDrAr 2 135 3 132 (empty) - >>> >>> I captured the data and I'm enclosing the pcap. Basically, ssl >>> connection is established at 12:29:39 and is open until Facebook gets >>> annoyed and FIN-ACK's the session at 12:44:39 (now we know they time >>> out at exactly 15 minutes). However why does that show as entries as >>> above? Thanks for any insight. >>> >>> James > > Thanks Danial. Is there a way to tell bro to have a longer timeout? > Thank you. > > James > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jlay at slave-tothe-box.net Wed Sep 28 15:43:31 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 28 Sep 2016 16:43:31 -0600 Subject: [Bro] Quick question on conn tracking In-Reply-To: References: <08a4bcde84447741decca463ffd2cd50@localhost> <51EF229D-D9DC-477E-99F1-81D36E01CBB5@gmail.com> <60c09d9bb5cfb9a16804917a1152b9b1@localhost> Message-ID: On 2016-09-28 16:40, Daniel Guerra wrote: > /usr/local/bro/share/bro/base/init-bare.bro > > ## If a TCP connection is inactive, time it out after this interval. > If 0 secs, > > ## then don't time it out. > > > ## > > > ## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout > set_inactivity_timeout > > const tcp_inactivity_timeout = 5 min &redef; > > > > > > ## If a UDP flow is inactive, time it out after this interval. If 0 > secs, then > > ## don't time it out. > > > ## > > > ## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout > set_inactivity_timeout > > const udp_inactivity_timeout = 1 min &redef; > > > > > > ## If an ICMP flow is inactive, time it out after this interval. If 0 > secs, then > > ## don't time it out. > > > ## > > > ## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout > set_inactivity_timeout > > const icmp_inactivity_timeout = 1 min &redef; > >> On 29 Sep 2016, at 00:28, James Lay wrote: >> >> On 2016-09-28 16:25, Daniel Guerra wrote: >>> I get the same in elasticsearch. >>> But its got nothing to do with it. >>> >>> Bro seems to split the socket because >>> of the time inbetween the activity. >>> >>> You can avoid this by longer timeouts. >>> >>> It would be better to create a script that >>> keeps track of all ssl connections in >>> memory/broker. >>> >>> I had to convert your dump to tcpdump >>> in order to read it in bro (git) >>> >>> >>>> On 28 Sep 2016, at 21:51, James Lay >>>> wrote: >>>> >>>> Hey all, >>>> >>>> So I'm getting bro and elasticsearch going, with one of the goals of >>>> finding flows with no service field. That being said I am seeing >>>> that >>>> long session, at least I THINK that's what I'm seeing, appear to be >>>> counted twice. From conn.log: >>>> >>>> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 >>>> 443 >>>> tcp ssl 0.214346 460 170 S1 T F >>>> 0 ShADad 8 884 7 542 (empty) - >>>> >>>> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 >>>> 443 >>>> tcp - 0.016678 31 0 RSTRH T F >>>> 0 fDrAr 2 135 3 132 (empty) - >>>> >>>> I captured the data and I'm enclosing the pcap. Basically, ssl >>>> connection is established at 12:29:39 and is open until Facebook >>>> gets >>>> annoyed and FIN-ACK's the session at 12:44:39 (now we know they time >>>> out at exactly 15 minutes). However why does that show as entries >>>> as >>>> above? Thanks for any insight. >>>> >>>> James >> >> Thanks Danial. Is there a way to tell bro to have a longer timeout? >> Thank you. >> >> James >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro Beautiful thank you....bet I need to redef these and stick it in my local.bro. Thanks again..helps me make this more awesome :) James From philosnef at gmail.com Wed Sep 28 16:22:08 2016 From: philosnef at gmail.com (erik clark) Date: Wed, 28 Sep 2016 19:22:08 -0400 Subject: [Bro] load balancing question. Message-ID: Bond the interfaces and you will have no problem. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/0ebc0359/attachment.html From seth at icir.org Wed Sep 28 19:16:50 2016 From: seth at icir.org (Seth Hall) Date: Wed, 28 Sep 2016 22:16:50 -0400 Subject: [Bro] files.log In-Reply-To: References: Message-ID: > On Sep 28, 2016, at 1:50 PM, erik clark wrote: > > 98% of all entries in our files.log are null values. Is this to be expected? What analyzers are the files coming from? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Sep 28 19:25:59 2016 From: seth at icir.org (Seth Hall) Date: Wed, 28 Sep 2016 22:25:59 -0400 Subject: [Bro] cluster manager crash In-Reply-To: References: Message-ID: <2EB136FF-4362-4607-95D7-B8EA1D6057F4@icir.org> > On Sep 28, 2016, at 2:48 PM, Hovsep Levi wrote: > > I've never had a day where Bro didn't crash due to memory exhaustion and have to perform full restarts once per hour to prevent manager crashes. The only way to fix it is to become a Bro developer. :> Unfortunately in some environments this is currently true. We are actively working on addressing these issues on multiple fronts though. We're hoping that these troubles can be eradicated for more and more people over time. The logger node as you commented in a follow up is one of those approaches, but we are still working on replacing the built in communication mechanism with Broker which will hopefully have some positive effects on stability (go Matthias!) and Justin is investigating SumStats and some scripts that have particularly negative effects to see what changes need to be made to make them scale horizontally better. We have also extended the misc/stats.bro information in 2.5 and we will likely continuing extending it in 2.6 to provide more information about what Bro is doing at runtime to help understand it's behavior better. Stability problems are definitely something we're concerned about as much as you are. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Sep 28 19:29:16 2016 From: seth at icir.org (Seth Hall) Date: Wed, 28 Sep 2016 22:29:16 -0400 Subject: [Bro] Quick question on conn tracking In-Reply-To: <08a4bcde84447741decca463ffd2cd50@localhost> References: <08a4bcde84447741decca463ffd2cd50@localhost> Message-ID: > On Sep 28, 2016, at 3:51 PM, James Lay wrote: > > 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp ssl 0.214346 460 170 S1 T F 0 ShADad 8 884 7 542 (empty) - > > 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp - 0.016678 31 0 RSTRH T F 0 fDrAr 2 135 3 132 (empty) - Wow, you're actually seeing 15 minute where there are no packets seen in the connection? I'm surprised that Facebook has such a long timeout on their frontend web servers. I would expect that a timeout that long would actually cause quite a few middle boxes quite a bit of consternation as well. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From philosnef at gmail.com Thu Sep 29 04:22:49 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 29 Sep 2016 07:22:49 -0400 Subject: [Bro] files.log In-Reply-To: References: Message-ID: According to splunk/files.log, these list "pe_xor, md5, sha1,sha256" in the analyzer section. Its actually a lot more than that, and slight variations. Generally speaking, almost every entry is a variant of that 4 analyzers. Could this be an issue with the pe_xor module? Moreover, files that we have filenames for (f.txt from google for instance) have the same analyzers running as well. On Wed, Sep 28, 2016 at 10:16 PM, Seth Hall wrote: > > > On Sep 28, 2016, at 1:50 PM, erik clark wrote: > > > > 98% of all entries in our files.log are null values. Is this to be > expected? > > What analyzers are the files coming from? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/71c7aca7/attachment.html From philosnef at gmail.com Thu Sep 29 04:33:26 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 29 Sep 2016 07:33:26 -0400 Subject: [Bro] files.log In-Reply-To: References: Message-ID: As an aside, even after disabling pe_xor (out of curiosity), we are still not seeing the filenames. Out of 74,000 file.log entries, only 620 have filenames. Of those, 99.52% of them are f.txt filenames (from google).... On Thu, Sep 29, 2016 at 7:22 AM, erik clark wrote: > According to splunk/files.log, these list "pe_xor, md5, sha1,sha256" in > the analyzer section. Its actually a lot more than that, and slight > variations. Generally speaking, almost every entry is a variant of that 4 > analyzers. Could this be an issue with the pe_xor module? Moreover, files > that we have filenames for (f.txt from google for instance) have the same > analyzers running as well. > > On Wed, Sep 28, 2016 at 10:16 PM, Seth Hall wrote: > >> >> > On Sep 28, 2016, at 1:50 PM, erik clark wrote: >> > >> > 98% of all entries in our files.log are null values. Is this to be >> expected? >> >> What analyzers are the files coming from? >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro.org/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/c4223178/attachment-0001.html From philosnef at gmail.com Thu Sep 29 04:42:47 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 29 Sep 2016 07:42:47 -0400 Subject: [Bro] files.log In-Reply-To: References: Message-ID: Sorry, last post. Found http://mailman.icsi.berkeley.edu/pipermail/bro/2014-April/006893.html. This is inline with what I was discovering from my files.log. I will see if I can expand the framework to do correlation to get this info. On Thu, Sep 29, 2016 at 7:33 AM, erik clark wrote: > As an aside, even after disabling pe_xor (out of curiosity), we are still > not seeing the filenames. Out of 74,000 file.log entries, only 620 have > filenames. Of those, 99.52% of them are f.txt filenames (from google).... > > On Thu, Sep 29, 2016 at 7:22 AM, erik clark wrote: > >> According to splunk/files.log, these list "pe_xor, md5, sha1,sha256" in >> the analyzer section. Its actually a lot more than that, and slight >> variations. Generally speaking, almost every entry is a variant of that 4 >> analyzers. Could this be an issue with the pe_xor module? Moreover, files >> that we have filenames for (f.txt from google for instance) have the same >> analyzers running as well. >> >> On Wed, Sep 28, 2016 at 10:16 PM, Seth Hall wrote: >> >>> >>> > On Sep 28, 2016, at 1:50 PM, erik clark wrote: >>> > >>> > 98% of all entries in our files.log are null values. Is this to be >>> expected? >>> >>> What analyzers are the files coming from? >>> >>> .Seth >>> >>> -- >>> Seth Hall >>> International Computer Science Institute >>> (Bro) because everyone has a network >>> http://www.bro.org/ >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/d6b0d817/attachment.html From seth at icir.org Thu Sep 29 05:37:04 2016 From: seth at icir.org (Seth Hall) Date: Thu, 29 Sep 2016 08:37:04 -0400 Subject: [Bro] files.log In-Reply-To: References: Message-ID: > On Sep 29, 2016, at 7:42 AM, erik clark wrote: > > Sorry, last post. Found http://mailman.icsi.berkeley.edu/pipermail/bro/2014-April/006893.html. This is inline with what I was discovering from my files.log. I will see if I can expand the framework to do correlation to get this info. Ohh... I see now. You didn't specify that it was the filename field that was null. Unfortunately I think that the current behavior is best as the default behavior. I suspect that at some point we'll see a package show up in the Bro package manager which adds some heuristically driven filenames (i.e. pulling "filenames" from URLs). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From philosnef at gmail.com Thu Sep 29 05:50:03 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 29 Sep 2016 08:50:03 -0400 Subject: [Bro] misc-stats question Message-ID: In misc-stats, we have a field in stats.lg labeled "plt_lag". What exactly is this measuring? Also, in a reasonable deployment, what should we see as far as events_queued. Should this be close to zero? I am seeing a packet lag of 2.0-2.5, and several million events queued. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/473d8e7e/attachment.html From seth at icir.org Thu Sep 29 05:52:55 2016 From: seth at icir.org (Seth Hall) Date: Thu, 29 Sep 2016 08:52:55 -0400 Subject: [Bro] Newbie at bro, some questions In-Reply-To: References: Message-ID: > On Sep 26, 2016, at 6:08 PM, Yagyesh Srivastava wrote: > > Could anyone please let me know, what if we want to test some attack traffic which is not mentioned in the traces. > How do we do that? > Do we have some more traces present which don't come to bro directory by default? > Because I feel SQL Injection and HTTP brute force are common attack traffic and should ideally be present in the traces. Unfortunately, getting representative test traffic is frequently very difficult. For the SQL injection script specifically it would be nearly impossible to have a trace that has all of the potential variants of attacks so I resorted to testing the regular expression more directly. I believe that regex needs to be updated some too because I know there are a lot of false positives that the internet is causing on it these days. If you want to see the SQL injection regex test suite, you can see it here: https://github.com/bro/bro/blob/f5ce4785ea96b56643c092331a16308f071c8092/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Thu Sep 29 06:25:35 2016 From: seth at icir.org (Seth Hall) Date: Thu, 29 Sep 2016 09:25:35 -0400 Subject: [Bro] misc-stats question In-Reply-To: References: Message-ID: <079C97C1-3143-469C-9DB0-9952B79815E9@icir.org> > On Sep 29, 2016, at 8:50 AM, erik clark wrote: > > In misc-stats, we have a field in stats.lg labeled "plt_lag". What exactly is this measuring? ## Lag between the wall clock and packet timestamps if reading ## live traffic. pkt_lag: interval &log &optional; This could mean that packets are getting pulled from a queue somewhere after they're timestamped. It doesn't necessarily mean a whole lot, but it could be an interesting data point in some circumstances. > Also, in a reasonable deployment, what should we see as far as events_queued. Should this be close to zero? I am seeing a packet lag of 2.0-2.5, and several million events queued. ## Number of events that have been queued since the last stats ## interval. events_queued: count &log; This depends on your report interval (it's 5min by default) since it's reporting the number of events queued in the last report interval. You probably don't want it to be zero, it would mean that Bro isn't doing anything. Events are how almost all script execution happens too so I'd expect it to be reasonably high in many circumstances. In your case, this just means that you had several million events queued in a 5min period which would seem ok to me, but we don't have much data on this yet. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From ysrivas at ncsu.edu Thu Sep 29 06:32:46 2016 From: ysrivas at ncsu.edu (Yagyesh Srivastava) Date: Thu, 29 Sep 2016 09:32:46 -0400 Subject: [Bro] Newbie at bro, some questions In-Reply-To: References: Message-ID: Thanks for the help. So if my understanding is correct, running the traces on bro is as good as sending the same traffic which is present in the pcap from another system on to bro? On Sep 29, 2016 8:52 AM, "Seth Hall" wrote: > > > On Sep 26, 2016, at 6:08 PM, Yagyesh Srivastava > wrote: > > > > Could anyone please let me know, what if we want to test some attack > traffic which is not mentioned in the traces. > > How do we do that? > > Do we have some more traces present which don't come to bro directory by > default? > > Because I feel SQL Injection and HTTP brute force are common attack > traffic and should ideally be present in the traces. > > Unfortunately, getting representative test traffic is frequently very > difficult. For the SQL injection script specifically it would be nearly > impossible to have a trace that has all of the potential variants of > attacks so I resorted to testing the regular expression more directly. I > believe that regex needs to be updated some too because I know there are a > lot of false positives that the internet is causing on it these days. > > If you want to see the SQL injection regex test suite, you can see it here: > https://github.com/bro/bro/blob/f5ce4785ea96b56643c092331a1630 > 8f071c8092/testing/btest/scripts/policy/protocols/http/ > test-sql-injection-regex.bro > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/1eb56e10/attachment.html From daniel.guerra69 at gmail.com Thu Sep 29 07:03:21 2016 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Thu, 29 Sep 2016 16:03:21 +0200 Subject: [Bro] Newbie at bro, some questions In-Reply-To: References: Message-ID: <1B9DADAA-BB8A-4D02-9108-9FBC3453A13C@gmail.com> Hi, Here is a nice testing set with pcap?s https://www.netresec.com/?page=PcapFiles > On 29 Sep 2016, at 15:32, Yagyesh Srivastava wrote: > > Thanks for the help. > So if my understanding is correct, running the traces on bro is as good as sending the same traffic which is present in the pcap from another system on to bro? > > > On Sep 29, 2016 8:52 AM, "Seth Hall" > wrote: > > > On Sep 26, 2016, at 6:08 PM, Yagyesh Srivastava > wrote: > > > > Could anyone please let me know, what if we want to test some attack traffic which is not mentioned in the traces. > > How do we do that? > > Do we have some more traces present which don't come to bro directory by default? > > Because I feel SQL Injection and HTTP brute force are common attack traffic and should ideally be present in the traces. > > Unfortunately, getting representative test traffic is frequently very difficult. For the SQL injection script specifically it would be nearly impossible to have a trace that has all of the potential variants of attacks so I resorted to testing the regular expression more directly. I believe that regex needs to be updated some too because I know there are a lot of false positives that the internet is causing on it these days. > > If you want to see the SQL injection regex test suite, you can see it here: > https://github.com/bro/bro/blob/f5ce4785ea96b56643c092331a16308f071c8092/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/fdfe7b83/attachment-0001.html From philosnef at gmail.com Thu Sep 29 07:16:02 2016 From: philosnef at gmail.com (erik clark) Date: Thu, 29 Sep 2016 10:16:02 -0400 Subject: [Bro] problem starting bro with no dns Message-ID: In my node.cfg, all of my hosts are set to localhost. I can start bro as root, but as a non root user with setcap privs, I get error: unknown host 'localhost' for given node 'manager' [Temporary... name resolution] Obviously localhost is in /etc/hosts. So why is it bro is having a problem with this? Not having a functional dns shouldn't prevent bro from spawning, especially when the host given is just localhost. How can I deal with this issue? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/38adf67e/attachment.html From jlay at slave-tothe-box.net Thu Sep 29 08:31:58 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Thu, 29 Sep 2016 09:31:58 -0600 Subject: [Bro] Quick question on conn tracking In-Reply-To: References: <08a4bcde84447741decca463ffd2cd50@localhost> Message-ID: <020995efc9ad6ef1e3384cb9051b1c5d@localhost> On 2016-09-28 20:29, Seth Hall wrote: >> On Sep 28, 2016, at 3:51 PM, James Lay >> wrote: >> >> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 >> tcp ssl 0.214346 460 170 S1 T F >> 0 ShADad 8 884 7 542 (empty) - >> >> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 >> tcp - 0.016678 31 0 RSTRH T F >> 0 fDrAr 2 135 3 132 (empty) - > > Wow, you're actually seeing 15 minute where there are no packets seen > in the connection? I'm surprised that Facebook has such a long > timeout on their frontend web servers. I would expect that a timeout > that long would actually cause quite a few middle boxes quite a bit of > consternation as well. :) > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ Heh....spotify is even worse :P notice.log:1475161562.899483 CPEyXm4oD4iu0xu4v1 192.168.1.101 42263 193.235.203.66 4070 - - - tcp LongConnection::found 192.168.1.101 -> 193.235.203.66:4070/tcp remained alive for longer than 49m42s 2981.66 192.168.1.101 193.235.203.66 4070 - bro Notice::ACTION_LOG 3600.000000 F - - - - - CRAZYTOWN! James From daniel.guerra69 at gmail.com Thu Sep 29 09:15:10 2016 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Thu, 29 Sep 2016 18:15:10 +0200 Subject: [Bro] Quick question on conn tracking In-Reply-To: <020995efc9ad6ef1e3384cb9051b1c5d@localhost> References: <08a4bcde84447741decca463ffd2cd50@localhost> <020995efc9ad6ef1e3384cb9051b1c5d@localhost> Message-ID: <025B56FB-0C9E-4A60-9DDD-D6D770F7E8FC@gmail.com> It seems to pop up with a few types of history .. here RSTRH 104.70.5.52 (akemai/itunes) has ^fR > On 29 Sep 2016, at 17:31, James Lay wrote: > > On 2016-09-28 20:29, Seth Hall wrote: >>> On Sep 28, 2016, at 3:51 PM, James Lay >>> wrote: >>> >>> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 >>> tcp ssl 0.214346 460 170 S1 T F >>> 0 ShADad 8 884 7 542 (empty) - >>> >>> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 >>> tcp - 0.016678 31 0 RSTRH T F >>> 0 fDrAr 2 135 3 132 (empty) - >> >> Wow, you're actually seeing 15 minute where there are no packets seen >> in the connection? I'm surprised that Facebook has such a long >> timeout on their frontend web servers. I would expect that a timeout >> that long would actually cause quite a few middle boxes quite a bit of >> consternation as well. :) >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro.org/ > > Heh....spotify is even worse :P > > notice.log:1475161562.899483 CPEyXm4oD4iu0xu4v1 192.168.1.101 > 42263 193.235.203.66 4070 - - - tcp > LongConnection::found 192.168.1.101 -> 193.235.203.66:4070/tcp > remained alive for longer than 49m42s 2981.66 192.168.1.101 > 193.235.203.66 4070 - bro Notice::ACTION_LOG > 3600.000000 F - - - - - > > CRAZYTOWN! > > James > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From dnthayer at illinois.edu Thu Sep 29 09:25:29 2016 From: dnthayer at illinois.edu (Daniel Thayer) Date: Thu, 29 Sep 2016 11:25:29 -0500 Subject: [Bro] problem starting bro with no dns In-Reply-To: References: Message-ID: <61e10d69-7962-a8b3-568e-6571a640cefe@illinois.edu> On 9/29/16 9:16 AM, erik clark wrote: > In my node.cfg, all of my hosts are set to localhost. I can start bro as > root, but as a non root user with setcap privs, I get > > error: unknown host 'localhost' for given node 'manager' [Temporary... > name resolution] > > Obviously localhost is in /etc/hosts. So why is it bro is having a > problem with this? Not having a functional dns shouldn't prevent bro > from spawning, especially when the host given is just localhost. How can > I deal with this issue? > Does it work if you edit node.cfg and change localhost to 127.0.0.1 ? From crharwood at gmail.com Thu Sep 29 12:10:38 2016 From: crharwood at gmail.com (Chris Harwood) Date: Thu, 29 Sep 2016 12:10:38 -0700 Subject: [Bro] node.cfg multiple interface convention? Message-ID: Hi all, One of my installations runs on an old linux laptop monitoring wifi traffic exclusively in standalone. I'm wondering what the convention is for node.cfg to add monitoring to the wired interface as well. The use case is, the system is taken off the wifi and restarted at a second location for monitoring a wired connection. Is the following node.cfg valid? [bro] type=standalone host=localhost interface=wlan0 interface=eth0 Or is a better configuration to use 2 workers, one for each interface? Thanks in advance, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/5672e43a/attachment.html From jlay at slave-tothe-box.net Thu Sep 29 15:53:22 2016 From: jlay at slave-tothe-box.net (James Lay) Date: Thu, 29 Sep 2016 16:53:22 -0600 Subject: [Bro] Feature Request: Append Message-ID: I know I've brought this up before, but I was going to put this in on the github but that feature isn't enabled. I know a lot of people just use broctl and be done with it, but I just use it via command line most of the time. It would REALLY be nice have a command line switch to not overwrite log files and just append to existing files. Thank you. James From jedwards2728 at gmail.com Fri Sep 30 00:56:12 2016 From: jedwards2728 at gmail.com (John Edwards) Date: Fri, 30 Sep 2016 17:56:12 +1000 Subject: [Bro] New Cluster configuration Message-ID: Hi everyone Today successfully installed Bro as a standalone worker on an ubuntu system, it has 16cores, 8GB ram (can be expanded) and about 2TB of disk. Its receiving traffic from a passive fibre network interface. The interface configuration is as follows br0 - bridged interface p1p1 - RX of fibre p1p2 - TX of fibre br1 - Bridged interface p2p1 - RX of fibre p2p2 - TX of fibre So i have br0 configured and being monitored correctly. br0 is monitoring one part of the network up towards public facing infrastructure and br1 is monitoring more local stuff so its not NAT'd and closer to the hosts. As it is one physical system with 2 interfaces what is the best way for my to monitor both feeds and log it correctly. All of my logs are being fed into a SIEM with JSON output. Can i have separate roles configured on the one physical system and each interface being defined as a separate worker? So PF_RING as the front end, then a manager and proxy but each worker defined within the Cluster worker config as the same host but different interfaces. Or should i suggest getting additional hardware and splitting the interfaces? it seems a little silly that one worker can only monitor one interface i thought. thats why i thought id ask here first. Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/26a73e00/attachment.html From philosnef at gmail.com Fri Sep 30 04:46:47 2016 From: philosnef at gmail.com (erik clark) Date: Fri, 30 Sep 2016 07:46:47 -0400 Subject: [Bro] problem starting bro with no dns In-Reply-To: <61e10d69-7962-a8b3-568e-6571a640cefe@illinois.edu> References: <61e10d69-7962-a8b3-568e-6571a640cefe@illinois.edu> Message-ID: Yes, however localhost should automatically be understood irrespective of external dns calls. Especially since it is in /etc/hosts and getent hosts localhost works with a broken dns resolver.... On Thu, Sep 29, 2016 at 12:25 PM, Daniel Thayer wrote: > On 9/29/16 9:16 AM, erik clark wrote: > >> In my node.cfg, all of my hosts are set to localhost. I can start bro as >> root, but as a non root user with setcap privs, I get >> >> error: unknown host 'localhost' for given node 'manager' [Temporary... >> name resolution] >> >> Obviously localhost is in /etc/hosts. So why is it bro is having a >> problem with this? Not having a functional dns shouldn't prevent bro >> from spawning, especially when the host given is just localhost. How can >> I deal with this issue? >> >> > Does it work if you edit node.cfg and change localhost to 127.0.0.1 ? > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/414e0694/attachment.html From philosnef at gmail.com Fri Sep 30 04:47:49 2016 From: philosnef at gmail.com (erik clark) Date: Fri, 30 Sep 2016 07:47:49 -0400 Subject: [Bro] problem with two specific workers Message-ID: I have two workers that are constantly pegged at dropping 50% of the packets I am processing. It is always the same two workers. This is on bro 2.4.1, so I don't have misc-stats (yet). Is there a way I can troubleshoot why I have problems with these two workers? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/3ce8e15e/attachment.html From philosnef at gmail.com Fri Sep 30 06:16:09 2016 From: philosnef at gmail.com (erik clark) Date: Fri, 30 Sep 2016 09:16:09 -0400 Subject: [Bro] problem with two specific workers In-Reply-To: References: Message-ID: On second thought, I am getting in excess of 1.1 Mpps. According to Robin's paper here, https://www.sans.org/reading-room/whitepapers/intrusion/open-source-ids-high-performance-shootout-35772, I should be able to process about 880 kpps with 24 workers. However, I have 20 workers and 400 gigs of ram. When I move the workers up to 24, my box gets crushed with a load of 20, up from a load of 13-15, and I drop even more packets on the floor. Is the only way out of this to stand up another box and try to use broctrl to load balance between those systems? On Fri, Sep 30, 2016 at 7:47 AM, erik clark wrote: > I have two workers that are constantly pegged at dropping 50% of the > packets I am processing. It is always the same two workers. This is on bro > 2.4.1, so I don't have misc-stats (yet). Is there a way I can troubleshoot > why I have problems with these two workers? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/ffa255fc/attachment.html From johanna at icir.org Fri Sep 30 13:59:46 2016 From: johanna at icir.org (Johanna Amann) Date: Fri, 30 Sep 2016 13:59:46 -0700 Subject: [Bro] problem with two specific workers In-Reply-To: References: Message-ID: <20160930205942.pkg46nm6tze6lz4s@wifi179.sys.ICSI.Berkeley.EDU> How much traffic you can handle depends a lot on the kinds of packets that your traffic consists of. So - for some traffic, 880k kpps might be ok, for other kinds of traffic, you might not even be able to handle half of that, even with the same hardware. So - you always have to take numbers like these with a grain of salt; you will never get exactly the same performance. That being said - if there are two specific workers that always drop packets, that might point to streams with high data rates that are handled by these two processes. 2.4.1 actually does have misc/stats.bro, so you can try loading that to see what is going on. It does not give as much information, but it might still be helpul. If you have too much traffic for your current hardware to handle, yes, youd only choice might be to either disable scripts or add more hadrware. I hope this helps, Johanna On Fri, Sep 30, 2016 at 09:16:09AM -0400, erik clark wrote: > On second thought, I am getting in excess of 1.1 Mpps. According to Robin's > paper here, > https://www.sans.org/reading-room/whitepapers/intrusion/open-source-ids-high-performance-shootout-35772, > I should be able to process about 880 kpps with 24 workers. > > However, I have 20 workers and 400 gigs of ram. When I move the workers up > to 24, my box gets crushed with a load of 20, up from a load of 13-15, and > I drop even more packets on the floor. Is the only way out of this to stand > up another box and try to use broctrl to load balance between those systems? > > On Fri, Sep 30, 2016 at 7:47 AM, erik clark wrote: > > > I have two workers that are constantly pegged at dropping 50% of the > > packets I am processing. It is always the same two workers. This is on bro > > 2.4.1, so I don't have misc-stats (yet). Is there a way I can troubleshoot > > why I have problems with these two workers? > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From johanna at icir.org Fri Sep 30 14:05:25 2016 From: johanna at icir.org (Johanna Amann) Date: Fri, 30 Sep 2016 14:05:25 -0700 Subject: [Bro] node.cfg multiple interface convention? In-Reply-To: References: Message-ID: <20160930210525.zohdr3bfjmlb5aoh@wifi179.sys.ICSI.Berkeley.EDU> Hello Chris, no, the given node.cfg is not valid, you can only specify one interface for a standalone node. The best solution would probably be to use 2 workers, one for each interface. There is a workaround that should still work, where you give the interface as "wlan0 -i eth0", (see https://bro-tracker.atlassian.net/browse/BIT-12), which I think still works, but that might break anytime. Johanna On Thu, Sep 29, 2016 at 12:10:38PM -0700, Chris Harwood wrote: > Hi all, > > One of my installations runs on an old linux laptop monitoring wifi traffic > exclusively in standalone. > > I'm wondering what the convention is for node.cfg to add monitoring to the > wired interface as well. > > The use case is, the system is taken off the wifi and restarted at a second > location for monitoring a wired connection. > > Is the following node.cfg valid? > > [bro] > type=standalone > host=localhost > interface=wlan0 > interface=eth0 > > Or is a better configuration to use 2 workers, one for each interface? > > Thanks in advance, > > Chris > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From johanna at icir.org Fri Sep 30 14:11:36 2016 From: johanna at icir.org (Johanna Amann) Date: Fri, 30 Sep 2016 14:11:36 -0700 Subject: [Bro] load balancing question. In-Reply-To: References: Message-ID: <20160930211136.hq6qb46ztbtphile@wifi179.sys.ICSI.Berkeley.EDU> Hi, to add to the already given answer - I _suspect_, that it might work when you start Bro and specify several interfaces (bro -i eth0 -i eth1). However, I am not quite sure if the packets will arrive at Bro in the correct ordering in that case, especially when there is very quick timing (i.e. interleaved packets that arrive on both interfaces in very quick succcession and have to be parsed in the correct order). So - try it and tell us your results :) Johanna On Wed, Sep 28, 2016 at 12:36:13PM -0700, Dk Jack wrote: > Hi, > Does bro handle the case where I sniffing from two interfaces I1 and I2, > and I1 sees the client side traffic and I2 see the server side traffic? If > this is supported, does the scenario of more than two interfaces also work? > Thanks. > > Dk. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From johanna at icir.org Fri Sep 30 14:14:10 2016 From: johanna at icir.org (Johanna Amann) Date: Fri, 30 Sep 2016 14:14:10 -0700 Subject: [Bro] Bro 2.4.1 documentation In-Reply-To: References: Message-ID: <20160930211410.cvjpsinv5jbpu5mg@wifi179.sys.ICSI.Berkeley.EDU> Hi John, the Bro documentation is currently not available in any format besides html, sorry. Johanna On Mon, Sep 26, 2016 at 01:28:01PM +1000, John Edwards wrote: > Hi all, > > I am reading through Bro's documentation for a variety of purposes, I am > new to it and really want to understand the internals, the scripting > language, scaling up for clustering for larger link monitoring etc. > > I find the websites layout not that good for reading as I am reading a > book about any other open source project I read about. Other open source > security projects I read about have PDFs versions of their documentation so > people can print it out etc. > > Is the same thing available for Bro? Have copied all of the doco into a > word document but cancelled that as formatting was ugly. The only mention > of Bro in a book I have found is a couple pages long. I'd like the entire > documentation available for whatever latest release but as PDF. > > Anyone else know where to find it? Or if it's even available? > > Thanks, > John > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From johanna at icir.org Fri Sep 30 14:16:40 2016 From: johanna at icir.org (Johanna Amann) Date: Fri, 30 Sep 2016 14:16:40 -0700 Subject: [Bro] Monitoring a directory and running bro on the PCAPs In-Reply-To: References: Message-ID: <20160930211640.7yy3gfbsk6ioonjr@wifi179.sys.ICSI.Berkeley.EDU> Hi Art, that is the easiest way to do that, yes, just run Bro after the pcap files have been written. The only disadvantage of this approach is that you loose session state between runs of Bro; when you run Bro on the following file, it will not parse any data from tcp sessions that started in the previous file. Johanna On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote: > Does anyone have experience using Bro to run its analysis on PCAPs being > written to a directory in an automated fashion? > Should a cron just be run at a lag using bro -r and script options? > Thank you, > > -Art > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From Art.Maddalena at teamaol.com Fri Sep 30 14:19:15 2016 From: Art.Maddalena at teamaol.com (Art Maddalena) Date: Fri, 30 Sep 2016 21:19:15 +0000 Subject: [Bro] Monitoring a directory and running bro on the PCAPs In-Reply-To: <20160930211640.7yy3gfbsk6ioonjr@wifi179.sys.ICSI.Berkeley.EDU> References: <20160930211640.7yy3gfbsk6ioonjr@wifi179.sys.ICSI.Berkeley.EDU> Message-ID: Thank you. Is it possible to stream the pcap data to bro in lieu of monitoring a directory? Thanks! Art On Fri, Sep 30, 2016 at 17:16 Johanna Amann wrote: > Hi Art, > > that is the easiest way to do that, yes, just run Bro after the pcap files > have been written. The only disadvantage of this approach is that you > loose session state between runs of Bro; when you run Bro on the following > file, it will not parse any data from tcp sessions that started in the > previous file. > > Johanna > > On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote: > > Does anyone have experience using Bro to run its analysis on PCAPs being > > written to a directory in an automated fashion? > > Should a cron just be run at a lag using bro -r and script options? > > Thank you, > > > > -Art > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/45b02dc8/attachment.html From johanna at icir.org Fri Sep 30 14:25:21 2016 From: johanna at icir.org (Johanna Amann) Date: Fri, 30 Sep 2016 14:25:21 -0700 Subject: [Bro] Monitoring a directory and running bro on the PCAPs In-Reply-To: References: <20160930211640.7yy3gfbsk6ioonjr@wifi179.sys.ICSI.Berkeley.EDU> Message-ID: <20160930212521.5ldxgeiydegpifph@wifi179.sys.ICSI.Berkeley.EDU> Hi, unless you have a way to replay the data to an interface that Bro can listen on (either by duplicating the traffic, or by using something like tcpreplay), I am not really aware of a good solution. Johanna On Fri, Sep 30, 2016 at 09:19:15PM +0000, Art Maddalena wrote: > Thank you. Is it possible to stream the pcap data to bro in lieu of > monitoring a directory? Thanks! > > Art > > On Fri, Sep 30, 2016 at 17:16 Johanna Amann wrote: > > > Hi Art, > > > > that is the easiest way to do that, yes, just run Bro after the pcap files > > have been written. The only disadvantage of this approach is that you > > loose session state between runs of Bro; when you run Bro on the following > > file, it will not parse any data from tcp sessions that started in the > > previous file. > > > > Johanna > > > > On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote: > > > Does anyone have experience using Bro to run its analysis on PCAPs being > > > written to a directory in an automated fashion? > > > Should a cron just be run at a lag using bro -r and script options? > > > Thank you, > > > > > > -Art > > > > > _______________________________________________ > > > Bro mailing list > > > bro at bro-ids.org > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > From michalpurzynski1 at gmail.com Fri Sep 30 14:42:00 2016 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Fri, 30 Sep 2016 23:42:00 +0200 Subject: [Bro] Monitoring a directory and running bro on the PCAPs In-Reply-To: <20160930212521.5ldxgeiydegpifph@wifi179.sys.ICSI.Berkeley.EDU> References: <20160930211640.7yy3gfbsk6ioonjr@wifi179.sys.ICSI.Berkeley.EDU> <20160930212521.5ldxgeiydegpifph@wifi179.sys.ICSI.Berkeley.EDU> Message-ID: Either that or inotify that's runs bro with a few lines of Python code. Replaying is better because it won't create a backlogs or bros. Or even a few lines in Python with inotify that starts replay? > On 30 Sep 2016, at 23:25, Johanna Amann wrote: > > Hi, > > unless you have a way to replay the data to an interface that Bro can > listen on (either by duplicating the traffic, or by using something like > tcpreplay), I am not really aware of a good solution. > > Johanna > >> On Fri, Sep 30, 2016 at 09:19:15PM +0000, Art Maddalena wrote: >> Thank you. Is it possible to stream the pcap data to bro in lieu of >> monitoring a directory? Thanks! >> >> Art >> >>> On Fri, Sep 30, 2016 at 17:16 Johanna Amann wrote: >>> >>> Hi Art, >>> >>> that is the easiest way to do that, yes, just run Bro after the pcap files >>> have been written. The only disadvantage of this approach is that you >>> loose session state between runs of Bro; when you run Bro on the following >>> file, it will not parse any data from tcp sessions that started in the >>> previous file. >>> >>> Johanna >>> >>>> On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote: >>>> Does anyone have experience using Bro to run its analysis on PCAPs being >>>> written to a directory in an automated fashion? >>>> Should a cron just be run at a lag using bro -r and script options? >>>> Thank you, >>>> >>>> -Art >>> >>>> _______________________________________________ >>>> Bro mailing list >>>> bro at bro-ids.org >>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >>> > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From daniel.guerra69 at gmail.com Fri Sep 30 14:50:01 2016 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Fri, 30 Sep 2016 23:50:01 +0200 Subject: [Bro] Monitoring a directory and running bro on the PCAPs In-Reply-To: <20160930212521.5ldxgeiydegpifph@wifi179.sys.ICSI.Berkeley.EDU> References: <20160930211640.7yy3gfbsk6ioonjr@wifi179.sys.ICSI.Berkeley.EDU> <20160930212521.5ldxgeiydegpifph@wifi179.sys.ICSI.Berkeley.EDU> Message-ID: Hi, I have made a packetbroker for this. Use tcpdump + netcat to the packetbroker for each interface. Then with one bro consume all packets from the broker. https://hub.docker.com/r/danielguerra/packetbroker/ Its a concept test and was written in perl. Regards, Daniel Op 30 sep. 2016 11:32 PM schreef "Johanna Amann" : > Hi, > > unless you have a way to replay the data to an interface that Bro can > listen on (either by duplicating the traffic, or by using something like > tcpreplay), I am not really aware of a good solution. > > Johanna > > On Fri, Sep 30, 2016 at 09:19:15PM +0000, Art Maddalena wrote: > > Thank you. Is it possible to stream the pcap data to bro in lieu of > > monitoring a directory? Thanks! > > > > Art > > > > On Fri, Sep 30, 2016 at 17:16 Johanna Amann wrote: > > > > > Hi Art, > > > > > > that is the easiest way to do that, yes, just run Bro after the pcap > files > > > have been written. The only disadvantage of this approach is that you > > > loose session state between runs of Bro; when you run Bro on the > following > > > file, it will not parse any data from tcp sessions that started in the > > > previous file. > > > > > > Johanna > > > > > > On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote: > > > > Does anyone have experience using Bro to run its analysis on PCAPs > being > > > > written to a directory in an automated fashion? > > > > Should a cron just be run at a lag using bro -r and script options? > > > > Thank you, > > > > > > > > -Art > > > > > > > _______________________________________________ > > > > Bro mailing list > > > > bro at bro-ids.org > > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/f9037a3c/attachment.html From Art.Maddalena at teamaol.com Fri Sep 30 15:01:27 2016 From: Art.Maddalena at teamaol.com (Art Maddalena) Date: Fri, 30 Sep 2016 22:01:27 +0000 Subject: [Bro] Monitoring a directory and running bro on the PCAPs In-Reply-To: References: <20160930211640.7yy3gfbsk6ioonjr@wifi179.sys.ICSI.Berkeley.EDU> <20160930212521.5ldxgeiydegpifph@wifi179.sys.ICSI.Berkeley.EDU> Message-ID: Thank you all for the advice. I am trying not to duplicate capturing efforts as we use a different in house developed open sourced tool (Moloch) for capture as well. Currently I am running bro concurrently with suri and would love to reduce the overhead of performing both capture and analysis with bro. Thanks again all! I will think about using our npbs for a duplicate traffic stream and look into the other suggestions mentioned as well. Art On Fri, Sep 30, 2016 at 17:50 Daniel Guerra wrote: > Hi, > I have made a packetbroker for this. Use tcpdump + netcat to the > packetbroker for each interface. Then with one bro consume all packets from > the broker. > https://hub.docker.com/r/danielguerra/packetbroker/ > Its a concept test and was written in perl. > > Regards, > Daniel > > Op 30 sep. 2016 11:32 PM schreef "Johanna Amann" : > > Hi, >> >> unless you have a way to replay the data to an interface that Bro can >> listen on (either by duplicating the traffic, or by using something like >> tcpreplay), I am not really aware of a good solution. >> >> Johanna >> >> On Fri, Sep 30, 2016 at 09:19:15PM +0000, Art Maddalena wrote: >> > Thank you. Is it possible to stream the pcap data to bro in lieu of >> > monitoring a directory? Thanks! >> > >> > Art >> > >> > On Fri, Sep 30, 2016 at 17:16 Johanna Amann wrote: >> > >> > > Hi Art, >> > > >> > > that is the easiest way to do that, yes, just run Bro after the pcap >> files >> > > have been written. The only disadvantage of this approach is that you >> > > loose session state between runs of Bro; when you run Bro on the >> following >> > > file, it will not parse any data from tcp sessions that started in the >> > > previous file. >> > > >> > > Johanna >> > > >> > > On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote: >> > > > Does anyone have experience using Bro to run its analysis on PCAPs >> being >> > > > written to a directory in an automated fashion? >> > > > Should a cron just be run at a lag using bro -r and script options? >> > > > Thank you, >> > > > >> > > > -Art >> > > >> > > > _______________________________________________ >> > > > Bro mailing list >> > > > bro at bro-ids.org >> > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > >> > > >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/284226a1/attachment.html From jazoff at illinois.edu Fri Sep 30 20:15:22 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Sat, 1 Oct 2016 03:15:22 +0000 Subject: [Bro] Monitoring a directory and running bro on the PCAPs In-Reply-To: <20160930212521.5ldxgeiydegpifph@wifi179.sys.ICSI.Berkeley.EDU> References: <20160930211640.7yy3gfbsk6ioonjr@wifi179.sys.ICSI.Berkeley.EDU> <20160930212521.5ldxgeiydegpifph@wifi179.sys.ICSI.Berkeley.EDU> Message-ID: <18638945-ED69-4A3E-918F-D44BBD95E493@illinois.edu> > On Sep 30, 2016, at 5:25 PM, Johanna Amann wrote: > > Hi, > > unless you have a way to replay the data to an interface that Bro can > listen on (either by duplicating the traffic, or by using something like > tcpreplay), I am not really aware of a good solution. > > Johanna Hmm, it probably wouldn't be that hard to write a 'pcapdir' pkt source for bro. Basically it would just need to: while(!terminating) { pcap_files = all .pcap files in SOURCE_DIR sort pcap_files by oldest # hopefully there is only one file for each pcap file { open and process packets into bro delete pcap #or move to a DONE_DIR/. } if no files in pcap_files sleep(10ms) } You'd just need the other tool to hardlink or move the pcaps into the SOURCE_DIR as they are done being written to. This would also fix the tcp session issues. -- - Justin Azoff From jazoff at illinois.edu Fri Sep 30 21:41:34 2016 From: jazoff at illinois.edu (Azoff, Justin S) Date: Sat, 1 Oct 2016 04:41:34 +0000 Subject: [Bro] Bro 2.4.1 documentation In-Reply-To: References: Message-ID: > On Sep 25, 2016, at 11:28 PM, John Edwards wrote: > > Hi all, > > I am reading through Bro's documentation for a variety of purposes, I am new to it and really want to understand the internals, the scripting language, scaling up for clustering for larger link monitoring etc. > > I find the websites layout not that good for reading as I am reading a book about any other open source project I read about. Other open source security projects I read about have PDFs versions of their documentation so people can print it out etc. > > Is the same thing available for Bro? Have copied all of the doco into a word document but cancelled that as formatting was ugly. The only mention of Bro in a book I have found is a couple pages long. I'd like the entire documentation available for whatever latest release but as PDF. > > Anyone else know where to find it? Or if it's even available? > > Thanks, > John As Johanna said it isn't published anywhere, but the tool that builds all the documentation (sphinx) can easily build a single page document. The only reason it doesn't is that doc/CMakeLists.txt only runs sphinx-build with -b html. I re-ran it with -b singlehtml, and it worked but the output is a little unwieldy and the formatting could be better. This can probably be fixed with a few lines of css though. -b latex works, but then pdflatex isn't happy with rendering the resulting file. The OS X book reader doesn't like the .epub files that -b epub builds. However, I did have good success using 'sphinx-build -b man' and then 'man -Tpdf ./bro.1 > bro.pdf' That outputs this: http://www.ncsa.illinois.edu/People/jazoff/bro-2.4.1.pdf Which is pretty close. The ToC items aren't links and images are missing, but that's probably the most reader friendly so far. -- - Justin Azoff