[Zeek] duplicated intel logs DNS::IN_REQUEST

Seth Hall seth at corelight.com
Thu Oct 3 06:21:26 PDT 2019



On 3 Oct 2019, at 8:35, Palumbo Mauro wrote:

> 1570105259.207335       CJZASAQTB2qgPSYw7       172.17.0.186    59553  
>  172.16.1.10     53      opencalphad.com Intel::DOMAIN   
> DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -      
>  -       -       85.0    -       -       -       -
> 1570105259.211927       CJZASAQTB2qgPSYw7       172.17.0.186    59553  
>  172.16.1.10     53      opencalphad.com Intel::DOMAIN   
> DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -      
>  -       -       85.0    -       -
>
> As you can see, some lines are identical, same uid, same worker, same 
> timestamp, etc...

Would it be possible to grab a pcap that recreates this behavior?  
Certainly not the correct behavior and it sounds like you've thought 
through the potential issues pretty thoroughly already and I agree with 
your thoughts.  We might be at the point of just needing the PCAP to see 
what's causing it.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com


More information about the Zeek mailing list