[Bro] DNS Unmatched msg/reply

fatema bannatwala fatema.bannatwala at gmail.com
Tue Dec 5 09:23:10 PST 2017 

Ah, that makes sense. Thanks Seth!
We get lot of weirds too corresponding to dns_unmatched messages everyday.
Good to know that they would be going soon in next major release of Bro :)

Thanks!
Fatema.

On Tue, Dec 5, 2017 at 8:56 AM, Seth Hall <seth at corelight.com> wrote:

> It looks like you got two replies from a single query. This tends to
> happen frequently in DNS traffic unfortunately and I think it's correct to
> log the second reply. The main problem that I've seen on my networks is the
> weirds that are being generated. I'm planning to get rid of
> dns_unmatched_msg and dns_unmatched_reply for the 2.6 release. They don't
> actually tell you much and they both indicate far too common situations to
> be useful.
>
> .Seth
>
> On 4 Dec 2017, at 13:44, fatema bannatwala wrote:
>
> Hi All,
>
> I was looking into the bro weird log file, and finally decided to spare
> some time
> tuning down the dns_unmatched_* messages in weird.log, as we usually get
> *many*
> to them.
>
> So to begin with, first I looked at the weird.log, grep-ed the very first
> entry for dns_unmatched_msg,
> and then grep-ed everything in *.log corresponding to that uid:
>
> $ less *.log | grep "CgOnko1s28TKjoaB07"
> 1512410399.813927       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      udp     dns     0.003451        42      2638
> SF      F       T       0       Dd      1       70   22694    (empty)
> worker-2-18
> 1512410399.813927       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      udp     22592   0.003411        dns1.udel.edu
>  1       C_INTERNET      1       A       0       NOERROR       T       F
>    F       F       1       128.175.13.16   86400.000000    F
> 1512410399.817378       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      udp     22592   -       dns1.udel.edu   -
>  -       -       -       0       NOERROR T       F    F   F       0
>  128.175.13.16   86400.000000    F
> 1512410399.817338       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      DNS_RR_unknown_type     46      F       worker-2-18
> 1512410399.817378       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      dns_unmatched_reply     -       F       worker-2-18
> 1512410409.813946       CgOnko1s28TKjoaB07      34.228.158.69   41438
>  128.175.13.16   53      dns_unmatched_msg       -       F       worker-2-18
>
> Looks like Bro seeing proper connection (SF) in conn.log enrty,
> and dns.log logging the query and response, the second log entry above.
> I am unsure of the third entry above, corresponding to dns.log.
> Any reason, weird.log would log a dns_unmatched* log for this connection?
>
> P.S: we have disabled the checksum offloading on the NIC.
>
> Any thoughts?
>
> Thanks!
> Fatema.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171205/6529dddf/attachment.html

More information about the Bro mailing list