[Bro] Lots of dns_unmatched_msg, dns_unmatched_reply in weird.log

James Lay jlay at slave-tothe-box.net
Thu Jan 26 08:14:20 PST 2017 

Glad you found the source of the issue...nice work!

James

On 2017-01-25 18:23, Lincy Taylor wrote:
> Hello James,
> 
>     I finally found the root cause with your provided parameters
> running bro. The error was due to the offloading of checksumming to
> adapter on my local system while the traffic was captured, which is
> already mentioned on bro's website[1].  So many thanks for your help!
> 
> 1.
> https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
> 
> Lincy
> 
> Sent with ProtonMail [1] Secure Email.
> 
>> -------- Original Message --------
>> 
>> Subject: Re: [Bro] Lots of dns_unmatched_msg, dns_unmatched_reply in
>> weird.log
>> 
>> Local Time: 2017年1月25日 8:05 晚上
>> 
>> UTC Time: 2017年1月25日 中午12點05分
>> 
>> From: jlay at slave-tothe-box.net
>> 
>> To: bro at bro.org
>> 
>> On Wed, 2017-01-25 at 03:32 -0500, Lincy Taylor wrote:
>> 
>>> Hello all:
>>> 
>>> I recently found lots of "dns_unmatched_msg" and
>>> "dns_unmatched_reply" errors in weird.log of Bro, which likes the
>>> following:
>>> 
>>> 1485331604.840044       CSdHx91xFbEKdyo3Pi      172.16.185.11
>>> 40721   8.8.8.8 53      dns_unmatched_reply     -       F
>>> bro
>>> 
>>> 1485331609.712570       Cw4TXS1DvS49mvRtN4      172.16.185.11
>>> 58915   8.8.8.8 53      dns_unmatched_reply     -       F
>>> bro
>>> 
>>> 1485331619.101223       CSdHx91xFbEKdyo3Pi      172.16.185.11
>>> 40721   8.8.8.8 53      dns_unmatched_msg       -       F
>>> bro
>>> 
>>> 1485331619.115208       CGwJfm35oSWSuMdVS6      172.16.185.11
>>> 50308   8.8.8.8 53      dns_unmatched_reply     -       F
>>> bro
>>> 
>>> 1485331619.115208       Cw4TXS1DvS49mvRtN4      172.16.185.11
>>> 58915   8.8.8.8 53      dns_unmatched_msg       -       F
>>> bro
>>> 
>>> 1485331619.115208       CGwJfm35oSWSuMdVS6      172.16.185.11
>>> 50308   8.8.8.8 53      dns_unmatched_msg       -       F
>>> bro
>>> 
>>> I used tcpdump to create a traffic dump of several dns queries
>>> made by dig on ubuntu to 8.8.8.8 and analyzed by "bro -r", the
>>> errors are still there in weird.log. The errors seems to be
>>> related to an unmatch of query id of query and response messages
>>> according to snippet in "share/bro/base/protocols/dns/main.bro".
>>> But I found the query ids are consistent with each of DNS query
>>> and response by tracing the traffic dump in wireshark.
>>> 
>>> Has anyone experienced the same issue before?
>>> 
>>> I attached the log files and pcap file within this message, please
>>> help me to find out the root cause. Thank you!
>>> 
>>> Sent with ProtonMail [1] Secure Email.
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>> Make sure you set your local net to include the 172 net.  As a test
>> on the pcap I ran:
>> 
>> bro -C -r pcaps/dns_8.8.8.8.pcap local "Site::local_nets += {
>> 172.16.0.0/12 }"
>> 
>> This gets me conn and dns, but no weird log.
>> 
>> James
> 
> 
> 
> Links:
> ------
> [1] https://protonmail.com
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list