[Zeek] R: duplicated intel logs DNS::IN_REQUEST

Palumbo Mauro mauro.palumbo at aizoon.it
Fri Oct 4 01:08:19 PDT 2019 

Hi Justin,
   I am in fact seeing 2,2 or 2,0 as orig_pkts and resp_pkts. And I confirmed this with tcpdump. So I believe it is an issue with the network we are tapping as I see these duplicated packets only for dns.

Thnaks
Mauro

Da: Justin Azoff [mailto:justin at corelight.com]
Inviato: giovedì 3 ottobre 2019 17:58
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek <zeek at zeek.org>
Oggetto: Re: [Zeek] duplicated intel logs DNS::IN_REQUEST

On Thu, Oct 3, 2019 at 8:38 AM Palumbo Mauro <mauro.palumbo at aizoon.it<mailto:mauro.palumbo at aizoon.it>> wrote:
Hi everybody,

  I am having an issue with the intel.log file, I am getting duplicated lines for the same dns request such as:

#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       seen.indicator  seen.indicator_type     seen.where      seen.node       matched sources fuid    file_mime_type  file_desc       cif.tags        cif.confidence  cif.source      cif.description cif.firstseen   cif.lastseen
#types  time    string  addr    port    addr    port    string  enum    enum    string  set[enum]       set[string]     string  string  string  string  double  string  string  string  string
1570105259.197420       CP1BZx1QgzdPpfEyda      172.17.0.186    43283   172.16.1.10     53      opencalphad.com<http://opencalphad.com> Intel::DOMAIN   DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -       -       -       85.0    -       -       -       -
1570105259.197420       CP1BZx1QgzdPpfEyda      172.17.0.186    43283   172.16.1.10     53      opencalphad.com<http://opencalphad.com> Intel::DOMAIN   DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -       -       -       85.0    -       -       -       -
1570105259.207335       CJZASAQTB2qgPSYw7       172.17.0.186    59553   172.16.1.10     53      opencalphad.com<http://opencalphad.com> Intel::DOMAIN   DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -       -       -       85.0    -       -       -       -
1570105259.211927       CJZASAQTB2qgPSYw7       172.17.0.186    59553   172.16.1.10     53      opencalphad.com<http://opencalphad.com> Intel::DOMAIN   DNS::IN_REQUEST worker-1        Intel::DOMAIN   0       -       -       -       -       85.0    -       -

As you can see, some lines are identical, same uid, same worker, same timestamp, etc...

The usual case for this is that you are tapping the same traffic twice.   If you look up the CP1BZx1QgzdPpfEyda connection in the conn.log  and look at orig_pkts and resp_pkts  you should see 1 and 1.   If you see 2,2 or 2,1 then you are seeing duplicate packets.

justin at mbp:/tmp/b$ cat dns.log |bro-cut  uid qtype_name query
Cu1Xq04w0nXaBiFiD A opencalphad.com<http://opencalphad.com>
CJYuzY33KkZubxHXMc AAAA opencalphad.com<http://opencalphad.com>
CdgXOb43ML2PJSv84a MX opencalphad.com<http://opencalphad.com>
justin at mbp:/tmp/b$ cat conn.log |bro-cut uid orig_pkts resp_pkts |fgrep Cu1Xq04w0nXaBiFiD
Cu1Xq04w0nXaBiFiD 1 1



--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191004/cfd18063/attachment-0001.html

More information about the Zeek mailing list