[Bro] DNS Unmatched msg/reply
fatema bannatwala
fatema.bannatwala at gmail.com
Mon Dec 4 10:44:47 PST 2017
Hi All,
I was looking into the bro weird log file, and finally decided to spare
some time
tuning down the dns_unmatched_* messages in weird.log, as we usually get
*many*
to them.
So to begin with, first I looked at the weird.log, grep-ed the very first
entry for dns_unmatched_msg,
and then grep-ed everything in *.log corresponding to that uid:
$ less *.log | grep "CgOnko1s28TKjoaB07"
1512410399.813927 CgOnko1s28TKjoaB07 34.228.158.69 41438
128.175.13.16 53 udp dns 0.003451 42 2638
SF F T 0 Dd 1 70 22694 (empty)
worker-2-18
1512410399.813927 CgOnko1s28TKjoaB07 34.228.158.69 41438
128.175.13.16 53 udp 22592 0.003411 dns1.udel.edu 1
C_INTERNET 1 A 0 NOERROR T F
F F 1 128.175.13.16 86400.000000 F
1512410399.817378 CgOnko1s28TKjoaB07 34.228.158.69 41438
128.175.13.16 53 udp 22592 - dns1.udel.edu - -
- - 0 NOERROR T F F F 0
128.175.13.16 86400.000000 F
1512410399.817338 CgOnko1s28TKjoaB07 34.228.158.69 41438
128.175.13.16 53 DNS_RR_unknown_type 46 F worker-2-18
1512410399.817378 CgOnko1s28TKjoaB07 34.228.158.69 41438
128.175.13.16 53 dns_unmatched_reply - F worker-2-18
1512410409.813946 CgOnko1s28TKjoaB07 34.228.158.69 41438
128.175.13.16 53 dns_unmatched_msg - F worker-2-18
Looks like Bro seeing proper connection (SF) in conn.log enrty,
and dns.log logging the query and response, the second log entry above.
I am unsure of the third entry above, corresponding to dns.log.
Any reason, weird.log would log a dns_unmatched* log for this connection?
P.S: we have disabled the checksum offloading on the NIC.
Any thoughts?
Thanks!
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171204/a61ccf41/attachment.html
More information about the Bro
mailing list