[Bro] Lots of dns_unmatched_msg, dns_unmatched_reply in weird.log
James Lay
jlay at slave-tothe-box.net
Wed Jan 25 04:05:14 PST 2017
On Wed, 2017-01-25 at 03:32 -0500, Lincy Taylor wrote:
> Hello all:
>
> I recently found lots of "dns_unmatched_msg" and
> "dns_unmatched_reply" errors in weird.log of Bro, which likes the
> following:
>
> 1485331604.840044 CSdHx91xFbEKdyo3Pi 172.16.185.11
> 40721 8.8.8.8 53 dns_unmatched_reply - F bro
> 1485331609.712570 Cw4TXS1DvS49mvRtN4 172.16.185.11
> 58915 8.8.8.8 53 dns_unmatched_reply - F bro
> 1485331619.101223 CSdHx91xFbEKdyo3Pi 172.16.185.11
> 40721 8.8.8.8 53 dns_unmatched_msg - F bro
> 1485331619.115208 CGwJfm35oSWSuMdVS6 172.16.185.11
> 50308 8.8.8.8 53 dns_unmatched_reply - F bro
> 1485331619.115208 Cw4TXS1DvS49mvRtN4 172.16.185.11
> 58915 8.8.8.8 53 dns_unmatched_msg - F bro
> 1485331619.115208 CGwJfm35oSWSuMdVS6 172.16.185.11
> 50308 8.8.8.8 53 dns_unmatched_msg - F bro
>
> I used tcpdump to create a traffic dump of several dns queries made
> by dig on ubuntu to 8.8.8.8 and analyzed by "bro -r", the errors are
> still there in weird.log. The errors seems to be related to an
> unmatch of query id of query and response messages according to
> snippet in "share/bro/base/protocols/dns/main.bro". But I found the
> query ids are consistent with each of DNS query and response by
> tracing the traffic dump in wireshark.
>
> Has anyone experienced the same issue before?
>
> I attached the log files and pcap file within this message, please
> help me to find out the root cause. Thank you!
>
>
> Sent with ProtonMail Secure Email.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Make sure you set your local net to include the 172 net. As a test on
the pcap I ran:
bro -C -r pcaps/dns_8.8.8.8.pcap local "Site::local_nets += {
172.16.0.0/12 }"
This gets me conn and dns, but no weird log.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/e6583915/attachment.html
More information about the Bro
mailing list