[Zeek] R: duplicated intel logs DNS::IN_REQUEST
Palumbo Mauro
mauro.palumbo at aizoon.it
Thu Oct 3 07:14:06 PDT 2019
It turned out that there is an issue in our network and we are in fact getting duplicated dns packets on the span port...
So bro sees only one dns session in dns.log (and only one uid in conn.log), but the event dns_request is raised more than once and hence we get multiple intel matches.
Thanks and sorry for the false alarm...
Mauro
-----Messaggio originale-----
Da: Seth Hall [mailto:seth at corelight.com]
Inviato: giovedì 3 ottobre 2019 15:21
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek <zeek at zeek.org>
Oggetto: Re: [Zeek] duplicated intel logs DNS::IN_REQUEST
On 3 Oct 2019, at 8:35, Palumbo Mauro wrote:
> 1570105259.207335 CJZASAQTB2qgPSYw7 172.17.0.186 59553
> 172.16.1.10 53 opencalphad.com Intel::DOMAIN
> DNS::IN_REQUEST worker-1 Intel::DOMAIN 0 - -
> - - 85.0 - - - -
> 1570105259.211927 CJZASAQTB2qgPSYw7 172.17.0.186 59553
> 172.16.1.10 53 opencalphad.com Intel::DOMAIN
> DNS::IN_REQUEST worker-1 Intel::DOMAIN 0 - -
> - - 85.0 - -
>
> As you can see, some lines are identical, same uid, same worker, same
> timestamp, etc...
Would it be possible to grab a pcap that recreates this behavior?
Certainly not the correct behavior and it sounds like you've thought through the potential issues pretty thoroughly already and I agree with your thoughts. We might be at the point of just needing the PCAP to see what's causing it.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Zeek
mailing list