Robin Sommer created BIT-1153:
---------------------------------
Summary: DNS inconsistency
Key: BIT-1153
URL: https://bro-tracker.atlassian.net/browse/BIT-1153
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Reporter: Robin Sommer
Fix For: 2.3
Something's not deterministic in the DNS analyzer, this is with a small trace
of just 6 empty DNS replies with different transaction IDs::
{code}
# ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
# ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
# ( bro -b -r dns2-anon.trace base/protocols/dns && cat dns.log ) >>log
# cat log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dns
#open 2014-03-09-21-36-40
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p proto trans_id query qclass qclass_name qtype
qtype_name rcode rcode_name AA TC RD RA Z
answers TTLs rejected
#types time string addr port addr port enum count string
count string count string count string bool bool bool bool
count vector[string] vector[interval] bool
1359400918.103013 C3UnB71Lb5jHQuxYi9 10.69.49.58 41664
10.32.136.13 53 udp 50261 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.102517 C3UnB71Lb5jHQuxYi9 10.69.49.58 41664
10.32.136.13 53 udp 14740 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.103641 C3UnB71Lb5jHQuxYi9 10.69.49.58 41664
10.32.136.13 53 udp 22908 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.102812 C3UnB71Lb5jHQuxYi9 10.69.49.58 41664
10.32.136.13 53 udp 58133 - - - - -
3 NXDOMAIN F F F F 0 - -
F
#close 2014-03-09-21-36-40
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dns
#open 2014-03-09-21-36-42
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p proto trans_id query qclass qclass_name qtype
qtype_name rcode rcode_name AA TC RD RA Z
answers TTLs rejected
#types time string addr port addr port enum count string
count string count string count string bool bool bool bool
count vector[string] vector[interval] bool
1359400918.102812 CF4yYh4S0wIWnHYKka 10.69.49.58 41664
10.32.136.13 53 udp 58133 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.104054 CF4yYh4S0wIWnHYKka 10.69.49.58 41664
10.32.136.13 53 udp 45557 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.103013 CF4yYh4S0wIWnHYKka 10.69.49.58 41664
10.32.136.13 53 udp 50261 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.102517 CF4yYh4S0wIWnHYKka 10.69.49.58 41664
10.32.136.13 53 udp 14740 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.103390 CF4yYh4S0wIWnHYKka 10.69.49.58 41664
10.32.136.13 53 udp 31341 - - - - -
3 NXDOMAIN F F F F 0 - -
F
#close 2014-03-09-21-36-42
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dns
#open 2014-03-09-21-36-43
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p proto trans_id query qclass qclass_name qtype
qtype_name rcode rcode_name AA TC RD RA Z
answers TTLs rejected
#types time string addr port addr port enum count string
count string count string count string bool bool bool bool
count vector[string] vector[interval] bool
1359400918.103641 CrJZTqkaJJe3L4VUk 10.69.49.58 41664
10.32.136.13 53 udp 22908 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.103390 CrJZTqkaJJe3L4VUk 10.69.49.58 41664
10.32.136.13 53 udp 31341 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.103013 CrJZTqkaJJe3L4VUk 10.69.49.58 41664
10.32.136.13 53 udp 50261 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.102517 CrJZTqkaJJe3L4VUk 10.69.49.58 41664
10.32.136.13 53 udp 14740 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.102812 CrJZTqkaJJe3L4VUk 10.69.49.58 41664
10.32.136.13 53 udp 58133 - - - - -
3 NXDOMAIN F F F F 0 - -
F
1359400918.104054 CrJZTqkaJJe3L4VUk 10.69.49.58 41664
10.32.136.13 53 udp 45557 - - - - -
3 NXDOMAIN F F F F 0 - -
F
#close 2014-03-09-21-36-43
{code}
I'll provide the trace on request, don't want to attach it here.
--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
