[Bro] DNS Unmatched msg/reply
Seth Hall
seth at corelight.com
Tue Dec 5 05:56:23 PST 2017
It looks like you got two replies from a single query. This tends to
happen frequently in DNS traffic unfortunately and I think it's correct
to log the second reply. The main problem that I've seen on my networks
is the weirds that are being generated. I'm planning to get rid of
dns_unmatched_msg and dns_unmatched_reply for the 2.6 release. They
don't actually tell you much and they both indicate far too common
situations to be useful.
.Seth
On 4 Dec 2017, at 13:44, fatema bannatwala wrote:
> Hi All,
>
> I was looking into the bro weird log file, and finally decided to
> spare
> some time
> tuning down the dns_unmatched_* messages in weird.log, as we usually
> get
> *many*
> to them.
>
> So to begin with, first I looked at the weird.log, grep-ed the very
> first
> entry for dns_unmatched_msg,
> and then grep-ed everything in *.log corresponding to that uid:
>
> $ less *.log | grep "CgOnko1s28TKjoaB07"
> 1512410399.813927 CgOnko1s28TKjoaB07 34.228.158.69 41438
> 128.175.13.16 53 udp dns 0.003451 42 2638
> SF F T 0 Dd 1 70 22694 (empty)
> worker-2-18
> 1512410399.813927 CgOnko1s28TKjoaB07 34.228.158.69 41438
> 128.175.13.16 53 udp 22592 0.003411 dns1.udel.edu
> 1
> C_INTERNET 1 A 0 NOERROR T F
> F F 1 128.175.13.16 86400.000000 F
> 1512410399.817378 CgOnko1s28TKjoaB07 34.228.158.69 41438
> 128.175.13.16 53 udp 22592 - dns1.udel.edu -
> -
> - - 0 NOERROR T F F F 0
> 128.175.13.16 86400.000000 F
> 1512410399.817338 CgOnko1s28TKjoaB07 34.228.158.69 41438
> 128.175.13.16 53 DNS_RR_unknown_type 46 F
> worker-2-18
> 1512410399.817378 CgOnko1s28TKjoaB07 34.228.158.69 41438
> 128.175.13.16 53 dns_unmatched_reply - F
> worker-2-18
> 1512410409.813946 CgOnko1s28TKjoaB07 34.228.158.69 41438
> 128.175.13.16 53 dns_unmatched_msg - F
> worker-2-18
>
> Looks like Bro seeing proper connection (SF) in conn.log enrty,
> and dns.log logging the query and response, the second log entry
> above.
> I am unsure of the third entry above, corresponding to dns.log.
> Any reason, weird.log would log a dns_unmatched* log for this
> connection?
>
> P.S: we have disabled the checksum offloading on the NIC.
>
> Any thoughts?
>
> Thanks!
> Fatema.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171205/8c9ad832/attachment.html
More information about the Bro
mailing list