[Zeek] R: duplicated intel logs DNS::IN_REQUEST

Palumbo Mauro mauro.palumbo at aizoon.it
Thu Oct 3 07:14:06 PDT 2019


It turned out that there is an issue in our network and we are in fact getting duplicated dns packets on the span port...

So bro sees only one dns session in dns.log (and only one uid in conn.log), but the event  dns_request is raised more than once and hence we get multiple intel matches.

Thanks and sorry for the false alarm...

Mauro

-----Messaggio originale-----
Da: Seth Hall [mailto:seth at corelight.com] 
Inviato: giovedì 3 ottobre 2019 15:21
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek <zeek at zeek.org>
Oggetto: Re: [Zeek] duplicated intel logs DNS::IN_REQUEST



On 3 Oct 2019, at 8:35, Palumbo Mauro wrote:

> 1570105259.207335       CJZASAQTB2qgPSYw7       172.17.0.186    59553  
>  172.16.1.10     53      opencalphad.com Intel::DOMAIN   
> DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -      
>  -       -       85.0    -       -       -       -
> 1570105259.211927       CJZASAQTB2qgPSYw7       172.17.0.186    59553  
>  172.16.1.10     53      opencalphad.com Intel::DOMAIN   
> DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -      
>  -       -       85.0    -       -
>
> As you can see, some lines are identical, same uid, same worker, same 
> timestamp, etc...

Would it be possible to grab a pcap that recreates this behavior?  
Certainly not the correct behavior and it sounds like you've thought through the potential issues pretty thoroughly already and I agree with your thoughts.  We might be at the point of just needing the PCAP to see what's causing it.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com



More information about the Zeek mailing list