[Bro] Bro and Fragmentation.
fatema bannatwala
fatema.bannatwala at gmail.com
Mon Aug 13 09:00:13 PDT 2018
Hi All,
Recently I was troubleshooting some fragmentation occurring in UDP DNS
responses from our DNS servers, because of packet size > 1500 bytes.
The responses are completely valid, including 13 additional RR's with 7
Authoritative records, hence exceeding the normal size of the packet, and
getting fragmented into two packets.
When grep'ed the connection from the dns.log file in Bro, appeared that Bro
logged two connections for the single fragmented DNS response:
2018-08-13T10:16:40-0400 C42pXn2GRPxmh8JRBd 74.220.198.174
19401 128.175.13.16 53 udp 34754 - upenn.edu 1
C_INTERNET 1
5 MX - - F F F F 1 -
- F - -
2018-08-13T10:16:40-0400 CsFVfL2czxAmhLprqj 74.220.198.174
19401 128.175.13.16 53 udp 34754 - upenn.edu -
- - -
0 NOERROR T F F F 0
cluster5a.us.messagelabs.com,cluster5.us.messagelabs.com,<unknown type=46>
900.000000,900.000000,900
.000000 F
dns1.udel.edu,dns2.udel.edu,adns1.upenn.edu,sns-pb.isc.org,<unknown
type=46>,adns3.upenn.edu,adns2.upenn.edu
128.91.254.22,2607:f470:1002::2:3,2607:f4
70:1003::3:c,<unknown
type=46>,128.91.251.33,2607:f470:1001::1:a,128.91.3.128
I verified the transaction ID ( 34754) with the one in the pcap capture of
the same traffic from the firewall and was curious to know how Bro deals
with the Fragmentation assembly and logging.
Any thoughts?
Thanks!
Fatema.
P.S: I can provide the pcap capture to the corresponding connection
mentioned above.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180813/daba00b1/attachment.html
More information about the Bro
mailing list