[Zeek] Zeek/Bro DNS log missing type
Michael Gez
mgezz66 at gmail.com
Fri Aug 16 09:10:03 PDT 2019
Hi all,
I am using Zeek to run a PCAP and then parsing/processing the
generated logs to make sense of the traffic.
The issue I’m having is with the DNS parser. It is not always producing
what I’m expecting it to.
In particular, it doesn’t always parse the type from the DNS traffic PCAP,
which is one of the markers my code looks for.
If I look using Wireshark with the same PCAP I see that the type “A” is
present, as I would expect it to be.
However, the resulting Zeek dns.log is missing that field in particular.
I need Zeek to parse this type field out so I know to look into the domain
visited to make sure it is legitimate.
Are there any known issues with the DNS parser, or any known solutions to
this particular problem?
Here is an example generated by navigating to a webpage
1565970799.068532 CK9bYM3SGJHwpPNW12 192.168.100.3 19024
192.168.100.1 53 udp 10896 -
rl.ammyy.com - - - - 0 NOERROR F F F T
0 188.42.129.148 278.000000 F
To the best of my understanding, the field which is marked empty "-“, 2
fields prior to NOERROR field should be “A”.
This works for other instances of traffic I can find in PCAPs from the
internet, but not from the ones generated by me capturing local traffic
while navigating to the website.
Thank you!
P.S. if I left out any important information please let me know so I can
include it, I’m still new to the IDS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190816/693c70ab/attachment.html
More information about the Zeek
mailing list