[Bro-Dev] [JIRA] (BIT-1153) DNS inconsistency

Jon Siwek (JIRA) Mon, 10 Mar 2014 09:54:56 -0700

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15719#comment-15719
 ]


Jon Siwek commented on BIT-1153:
--------------------------------

topic/jsiwek/bit-1153 in bro, bro-testing, bro-testing-private

> DNS inconsistency
> -----------------
>
>                 Key: BIT-1153
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1153
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: Robin Sommer
>             Fix For: 2.3
>
>
> Something's not deterministic in the DNS analyzer, this is with a small trace 
> of just 6 empty DNS replies with different transaction IDs::
> {code}
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
> # cat log
> #separator \x09
> #set_separator        ,
> #empty_field  (empty)
> #unset_field  -
> #path dns
> #open 2014-03-09-21-36-40
> #fields       ts      uid     id.orig_h       id.orig_p       id.resp_h       
> id.resp_p       proto   trans_id        query   qclass  qclass_name     qtype 
>   qtype_name      rcode   rcode_name      AA      TC      RD      RA      Z   
>     answers TTLs    rejected
> #types        time    string  addr    port    addr    port    enum    count   
> string  count   string  count   string  count   string  bool    bool    bool  
>   bool    count   vector[string]  vector[interval]        bool
> 1359400918.103013     C3UnB71Lb5jHQuxYi9      10.69.49.58     41664   
> 10.32.136.13    53      udp     50261   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.102517     C3UnB71Lb5jHQuxYi9      10.69.49.58     41664   
> 10.32.136.13    53      udp     14740   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.103641     C3UnB71Lb5jHQuxYi9      10.69.49.58     41664   
> 10.32.136.13    53      udp     22908   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.102812     C3UnB71Lb5jHQuxYi9      10.69.49.58     41664   
> 10.32.136.13    53      udp     58133   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> #close        2014-03-09-21-36-40
> #separator \x09
> #set_separator        ,
> #empty_field  (empty)
> #unset_field  -
> #path dns
> #open 2014-03-09-21-36-42
> #fields       ts      uid     id.orig_h       id.orig_p       id.resp_h       
> id.resp_p       proto   trans_id        query   qclass  qclass_name     qtype 
>   qtype_name      rcode   rcode_name      AA      TC      RD      RA      Z   
>     answers TTLs    rejected
> #types        time    string  addr    port    addr    port    enum    count   
> string  count   string  count   string  count   string  bool    bool    bool  
>   bool    count   vector[string]  vector[interval]        bool
> 1359400918.102812     CF4yYh4S0wIWnHYKka      10.69.49.58     41664   
> 10.32.136.13    53      udp     58133   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.104054     CF4yYh4S0wIWnHYKka      10.69.49.58     41664   
> 10.32.136.13    53      udp     45557   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.103013     CF4yYh4S0wIWnHYKka      10.69.49.58     41664   
> 10.32.136.13    53      udp     50261   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.102517     CF4yYh4S0wIWnHYKka      10.69.49.58     41664   
> 10.32.136.13    53      udp     14740   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.103390     CF4yYh4S0wIWnHYKka      10.69.49.58     41664   
> 10.32.136.13    53      udp     31341   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> #close        2014-03-09-21-36-42
> #separator \x09
> #set_separator        ,
> #empty_field  (empty)
> #unset_field  -
> #path dns
> #open 2014-03-09-21-36-43
> #fields       ts      uid     id.orig_h       id.orig_p       id.resp_h       
> id.resp_p       proto   trans_id        query   qclass  qclass_name     qtype 
>   qtype_name      rcode   rcode_name      AA      TC      RD      RA      Z   
>     answers TTLs    rejected
> #types        time    string  addr    port    addr    port    enum    count   
> string  count   string  count   string  count   string  bool    bool    bool  
>   bool    count   vector[string]  vector[interval]        bool
> 1359400918.103641     CrJZTqkaJJe3L4VUk       10.69.49.58     41664   
> 10.32.136.13    53      udp     22908   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.103390     CrJZTqkaJJe3L4VUk       10.69.49.58     41664   
> 10.32.136.13    53      udp     31341   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.103013     CrJZTqkaJJe3L4VUk       10.69.49.58     41664   
> 10.32.136.13    53      udp     50261   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.102517     CrJZTqkaJJe3L4VUk       10.69.49.58     41664   
> 10.32.136.13    53      udp     14740   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.102812     CrJZTqkaJJe3L4VUk       10.69.49.58     41664   
> 10.32.136.13    53      udp     58133   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> 1359400918.104054     CrJZTqkaJJe3L4VUk       10.69.49.58     41664   
> 10.32.136.13    53      udp     45557   -       -       -       -       -     
>   3       NXDOMAIN        F       F       F       F       0       -       -   
>     F
> #close        2014-03-09-21-36-43
> {code}
> I'll provide the trace on request, don't want to attach it here.
>  



--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1153) DNS inconsistency

Reply via email to