[Bro-Dev] [JIRA] (BIT-755) Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS responses

grigorescu (JIRA) Fri, 20 Mar 2015 11:14:54 -0700

     [ 
https://bro-tracker.atlassian.net/browse/BIT-755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


grigorescu updated BIT-755:
---------------------------
    Resolution: Fixed
        Status: Closed  (was: Open)

Seth managed to dig up the trace, and I ran master against it. At some point, 
this was fixed.

> Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS 
> responses
> -------------------------------------------------------------------------------
>
>                 Key: BIT-755
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-755
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Matthias Vallentin
>             Fix For: 2.4
>
>
> As part of the trace testing for 2.0, I found an issue with NetBIOS DNS 
> traffic. (To reproduce, run Bro on slice 10 trace 6.) The issue is that aach 
> NetBIOS DNS response elicits a {{DNS_truncated_ans_too_short}} notice. 
> Presumably this occurs because the DNS analyzer is not aware when it analyzes 
> NetBIOS traffic and always uses default DNS settings.
> Here is an excerpt of {{weird.log}}:
> {noformat}
> #separator \x09
> #path   weird
> #fields ts      uid     id.orig_h       id.orig_p       id.resp_h       
> id.resp_p       name    addl    notice  peer
> #types  time    string  addr    port    addr    port    string  string  bool  
>   string
> 1258595204.973641       zXeo86cfbm7     192.168.1.1     137     192.168.1.103 
>   137     DNS_label_len_gt_pkt    -       F       bro
> 1258595204.973641       zXeo86cfbm7     192.168.1.1     137     192.168.1.103 
>   137     DNS_truncated_ans_too_short     -       F       bro
> 1258595929.455451       z4HTnleZ5K7     192.168.1.1     137     192.168.1.103 
>   137     DNS_truncated_ans_too_short     -       F       bro
> 1258596653.936597       JabVxb51nSh     192.168.1.1     137     192.168.1.103 
>   137     DNS_truncated_ans_too_short     -       F       bro
> 1258597378.402488       wP49IojzMDi     192.168.1.1     137     192.168.1.103 
>   137     DNS_truncated_ans_too_short     -       F       bro
> 1258598102.868114       yFYuqEzJF87     192.168.1.1     137     192.168.1.103 
>   137     DNS_truncated_ans_too_short     -       F       bro
> [..]
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-755) Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS responses

Reply via email to