[Zeek] duplicated intel logs DNS::IN_REQUEST

Palumbo Mauro mauro.palumbo at aizoon.it
Thu Oct 3 05:35:23 PDT 2019 

Hi everybody,

  I am having an issue with the intel.log file, I am getting duplicated lines for the same dns request such as:

#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       seen.indicator  seen.indicator_type     seen.where      seen.node       matched sources fuid    file_mime_type  file_desc       cif.tags        cif.confidence  cif.source      cif.description cif.firstseen   cif.lastseen
#types  time    string  addr    port    addr    port    string  enum    enum    string  set[enum]       set[string]     string  string  string  string  double  string  string  string  string
1570105259.197420       CP1BZx1QgzdPpfEyda      172.17.0.186    43283   172.16.1.10     53      opencalphad.com Intel::DOMAIN   DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -       -       -       85.0    -       -       -       -
1570105259.197420       CP1BZx1QgzdPpfEyda      172.17.0.186    43283   172.16.1.10     53      opencalphad.com Intel::DOMAIN   DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -       -       -       85.0    -       -       -       -
1570105259.207335       CJZASAQTB2qgPSYw7       172.17.0.186    59553   172.16.1.10     53      opencalphad.com Intel::DOMAIN   DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -       -       -       85.0    -       -       -       -
1570105259.211927       CJZASAQTB2qgPSYw7       172.17.0.186    59553   172.16.1.10     53      opencalphad.com Intel::DOMAIN   DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -       -       -       85.0    -       -

As you can see, some lines are identical, same uid, same worker, same timestamp, etc...

>From my tests, it appears that the problem is not in the intel framework but possibly in the dns analyzer as the event "dns_request" is raised twice (in the same worker) even if the dns packet contains a single query. This happens in a cluster configuration. The manager then receives twice the event dns_request  and its intel framework matches it twice as well. Hence, two logs... As far as I read in the doc, the event "dns_request" is raised more than once if the dns packet contains multiple queries, but this doesn't seem to be the case here.

I have the same issue on different machines and I tried both bro v.2.6.1 and latest zeek from github.

Does anyone have a clue about what is happening?

Thanks,
Mauro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191003/bd334737/attachment.html

More information about the Zeek mailing list