[Bro] DNS Unmatched msg/reply

Seth Hall seth at corelight.com
Tue Dec 5 05:56:23 PST 2017 

It looks like you got two replies from a single query.  This tends to 
happen frequently in DNS traffic unfortunately and I think it's correct 
to log the second reply.  The main problem that I've seen on my networks 
is the weirds that are being generated.  I'm planning to get rid of 
dns_unmatched_msg and dns_unmatched_reply for the 2.6 release.  They 
don't actually tell you much and they both indicate far too common 
situations to be useful.

   .Seth

On 4 Dec 2017, at 13:44, fatema bannatwala wrote:

> Hi All,
>
> I was looking into the bro weird log file, and finally decided to 
> spare
> some time
> tuning down the dns_unmatched_* messages in weird.log, as we usually 
> get
> *many*
> to them.
>
> So to begin with, first I looked at the weird.log, grep-ed the very 
> first
> entry for dns_unmatched_msg,
> and then grep-ed everything in *.log corresponding to that uid:
>
> $ less *.log | grep "CgOnko1s28TKjoaB07"
> 1512410399.813927       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      udp     dns     0.003451        42      2638
> SF      F       T       0       Dd      1       70   22694    (empty)
> worker-2-18
> 1512410399.813927       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      udp     22592   0.003411        dns1.udel.edu 
>   1
>      C_INTERNET      1       A       0       NOERROR       T       F
>  F       F       1       128.175.13.16   86400.000000    F
> 1512410399.817378       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      udp     22592   -       dns1.udel.edu   -     
>   -
>      -       -       0       NOERROR T       F    F   F       0
>  128.175.13.16   86400.000000    F
> 1512410399.817338       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      DNS_RR_unknown_type     46      F       
> worker-2-18
> 1512410399.817378       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      dns_unmatched_reply     -       F       
> worker-2-18
> 1512410409.813946       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      dns_unmatched_msg       -       F       
> worker-2-18
>
> Looks like Bro seeing proper connection (SF) in conn.log enrty,
> and dns.log logging the query and response, the second log entry 
> above.
> I am unsure of the third entry above, corresponding to dns.log.
> Any reason, weird.log would log a dns_unmatched* log for this 
> connection?
>
> P.S: we have disabled the checksum offloading on the NIC.
>
> Any thoughts?
>
> Thanks!
> Fatema.


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171205/8c9ad832/attachment.html

More information about the Bro mailing list