[Bro] Lots of dns_unmatched_msg, dns_unmatched_reply in weird.log
Lincy Taylor
lc.taylor at protonmail.com
Wed Jan 25 00:32:37 PST 2017
Hello all:
I recently found lots of "dns_unmatched_msg" and "dns_unmatched_reply" errors in weird.log of Bro, which likes the following:
1485331604.840044 CSdHx91xFbEKdyo3Pi 172.16.185.11 40721 8.8.8.8 53 dns_unmatched_reply - F bro
1485331609.712570 Cw4TXS1DvS49mvRtN4 172.16.185.11 58915 8.8.8.8 53 dns_unmatched_reply - F bro
1485331619.101223 CSdHx91xFbEKdyo3Pi 172.16.185.11 40721 8.8.8.8 53 dns_unmatched_msg - F bro
1485331619.115208 CGwJfm35oSWSuMdVS6 172.16.185.11 50308 8.8.8.8 53 dns_unmatched_reply - F bro
1485331619.115208 Cw4TXS1DvS49mvRtN4 172.16.185.11 58915 8.8.8.8 53 dns_unmatched_msg - F bro
1485331619.115208 CGwJfm35oSWSuMdVS6 172.16.185.11 50308 8.8.8.8 53 dns_unmatched_msg - F bro
I used tcpdump to create a traffic dump of several dns queries made by dig on ubuntu to 8.8.8.8 and analyzed by "bro -r", the errors are still there in weird.log. The errors seems to be related to an unmatch of query id of query and response messages according to snippet in "share/bro/base/protocols/dns/main.bro". But I found the query ids are consistent with each of DNS query and response by tracing the traffic dump in wireshark.
Has anyone experienced the same issue before?
I attached the log files and pcap file within this message, please help me to find out the root cause. Thank you!
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/f13b93ef/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns_8.8.8.8.pcap
Type: application/vnd.tcpdump.pcap
Size: 796 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/f13b93ef/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns.log
Type: text/x-log
Size: 1027 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/f13b93ef/attachment-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: weird.log
Type: text/x-log
Size: 939 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/f13b93ef/attachment-0002.bin
More information about the Bro
mailing list