[Bro] Lots of dns_unmatched_msg, dns_unmatched_reply in weird.log
Lincy Taylor
lc.taylor at protonmail.com
Wed Jan 25 17:23:02 PST 2017
Hello James,
I finally found the root cause with your provided parameters running bro. The error was due to the offloading of checksumming to adapter on my local system while the traffic was captured, which is already mentioned on bro's website[1]. So many thanks for your help!
1. https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
Lincy
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------- Original Message --------
Subject: Re: [Bro] Lots of dns_unmatched_msg, dns_unmatched_reply in weird.log
Local Time: 2017年1月25日 8:05 晚上
UTC Time: 2017年1月25日 中午12點05分
From: jlay at slave-tothe-box.net
To: bro at bro.org
On Wed, 2017-01-25 at 03:32 -0500, Lincy Taylor wrote:
Hello all:
I recently found lots of "dns_unmatched_msg" and "dns_unmatched_reply" errors in weird.log of Bro, which likes the following:
1485331604.840044 CSdHx91xFbEKdyo3Pi 172.16.185.11 40721 8.8.8.8 53 dns_unmatched_reply - F bro
1485331609.712570 Cw4TXS1DvS49mvRtN4 172.16.185.11 58915 8.8.8.8 53 dns_unmatched_reply - F bro
1485331619.101223 CSdHx91xFbEKdyo3Pi 172.16.185.11 40721 8.8.8.8 53 dns_unmatched_msg - F bro
1485331619.115208 CGwJfm35oSWSuMdVS6 172.16.185.11 50308 8.8.8.8 53 dns_unmatched_reply - F bro
1485331619.115208 Cw4TXS1DvS49mvRtN4 172.16.185.11 58915 8.8.8.8 53 dns_unmatched_msg - F bro
1485331619.115208 CGwJfm35oSWSuMdVS6 172.16.185.11 50308 8.8.8.8 53 dns_unmatched_msg - F bro
I used tcpdump to create a traffic dump of several dns queries made by dig on ubuntu to 8.8.8.8 and analyzed by "bro -r", the errors are still there in weird.log. The errors seems to be related to an unmatch of query id of query and response messages according to snippet in "share/bro/base/protocols/dns/main.bro". But I found the query ids are consistent with each of DNS query and response by tracing the traffic dump in wireshark.
Has anyone experienced the same issue before?
I attached the log files and pcap file within this message, please help me to find out the root cause. Thank you!
Sent with [ProtonMail](https://protonmail.com) Secure Email.
_______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Make sure you set your local net to include the 172 net. As a test on the pcap I ran:
bro -C -r pcaps/dns_8.8.8.8.pcap local "Site::local_nets += { 172.16.0.0/12 }"
This gets me conn and dns, but no weird log.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/0de8ecb0/attachment.html
More information about the Bro
mailing list