[Zeek] duplicated intel logs DNS::IN_REQUEST

Justin Azoff justin at corelight.com
Thu Oct 3 08:58:00 PDT 2019 

On Thu, Oct 3, 2019 at 8:38 AM Palumbo Mauro <mauro.palumbo at aizoon.it>
wrote:

> Hi everybody,
>
>
>
>   I am having an issue with the intel.log file, I am getting duplicated
> lines for the same dns request such as:
>
>
>
> #fields ts      uid     id.orig_h       id.orig_p       id.resp_h
> id.resp_p       seen.indicator  seen.indicator_type     seen.where
> seen.node       matched sources fuid    file_mime_type  file_desc
> cif.tags        cif.confidence  cif.source      cif.description
> cif.firstseen   cif.lastseen
>
> #types  time    string  addr    port    addr    port    string  enum
> enum    string  set[enum]       set[string]     string  string  string
> string  double  string  string  string  string
>
> 1570105259.197420       CP1BZx1QgzdPpfEyda      172.17.0.186    43283
> 172.16.1.10     53      opencalphad.com Intel::DOMAIN   DNS::IN_REQUEST
> worker-1        Intel::DOMAIN   0       -       -       -       -
> 85.0    -       -       -       -
>
> 1570105259.197420       CP1BZx1QgzdPpfEyda      172.17.0.186    43283
> 172.16.1.10     53      opencalphad.com Intel::DOMAIN   DNS::IN_REQUEST
> worker-1        Intel::DOMAIN   0       -       -       -       -
> 85.0    -       -       -       -
>
> 1570105259.207335       CJZASAQTB2qgPSYw7       172.17.0.186    59553
> 172.16.1.10     53      opencalphad.com Intel::DOMAIN   DNS::IN_REQUEST
> worker-1        Intel::DOMAIN   0       -       -       -       -
> 85.0    -       -       -       -
>
> 1570105259.211927       CJZASAQTB2qgPSYw7       172.17.0.186    59553
> 172.16.1.10     53      opencalphad.com Intel::DOMAIN   DNS::IN_REQUEST
> worker-1        Intel::DOMAIN   0       -       -       -       -
> 85.0    -       -
>
>
>
> As you can see, some lines are identical, same uid, same worker, same
> timestamp, etc...
>

The usual case for this is that you are tapping the same traffic twice.
 If you look up the CP1BZx1QgzdPpfEyda connection in the conn.log  and look
at orig_pkts and resp_pkts  you should see 1 and 1.   If you see 2,2 or 2,1
then you are seeing duplicate packets.

justin at mbp:/tmp/b$ cat dns.log |bro-cut  uid qtype_name query
Cu1Xq04w0nXaBiFiD A opencalphad.com
CJYuzY33KkZubxHXMc AAAA opencalphad.com
CdgXOb43ML2PJSv84a MX opencalphad.com
justin at mbp:/tmp/b$ cat conn.log |bro-cut uid orig_pkts resp_pkts |fgrep
Cu1Xq04w0nXaBiFiD
Cu1Xq04w0nXaBiFiD 1 1



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191003/80a9689c/attachment.html

More information about the Zeek mailing list