[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

Fri, 04 Sep 2015 05:49:19 -0700 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21941#comment-21941
 ] 

Vlad Grigorescu commented on BIT-1460:
--------------------------------------

The issue here is src/analyzer/protocol/dns/DNS.cc lines 58-68:

{quote}
        // There is a great deal of non-DNS traffic that runs on port 53.
        // This should weed out most of it.
        if ( dns_max_queries > 0 && msg.qdcount > dns_max_queries )
                {
                analyzer->ProtocolViolation("DNS_Conn_count_too_large");
                analyzer->Weird("DNS_Conn_count_too_large");
                EndMessage(&msg);
                return 0;
                }
{quote}

topic/vladg/bit-1460 makes dns_max_queries redef-able, and bumps up the limit 
from 5 to 25.

Since multicast is so chatty, it might make sense to special case it and allow 
for a higher limit. That being said, I'm not sure there's much of a downside to 
setting the max a bit higher.

> DPD query too large on multicast DNS
> ------------------------------------
>
>                 Key: BIT-1460
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1460
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: BinPAC
>    Affects Versions: 2.4
>            Reporter: Michal Purzynski
>              Labels: analyzer
>         Attachments: dnsm.pcap
>
>
> Lots of
> 1440024833.696698     CZdljELZjJSLLQpxj       10.251.27.165   5353    
> 224.0.0.251     5353    udp     DNS     DNS_Conn_count_too_large
> 1440024920.764444     CgVrZf4IQ0Tc04EfQe      10.251.29.250   5353    
> 224.0.0.251     5353    udp     DNS     DNS_Conn_count_too_large
> 1440024920.764923     C4oQOB2GRRhDHW1i4g      fe80::6676:baff:feb5:772c       
> 5353    ff02::fb        5353    udp     DNS     DNS_Conn_count_too_large
> 1440024981.016577     CsCwiq3qk2Uxjhomjj      fe80::1c8a:768d:e113:e39f       
> 5353    ff02::fb        5353    udp     DNS     DNS_Conn_count_too_large
> 1440024981.015551     CA1nbO23vgbca2PBYi      10.251.28.176   5353    
> 224.0.0.251     5353    udp     DNS     DNS_Conn_count_too_large
> 1440025022.962007     C5kYaG3BckRrVOot89      10.251.26.99    5353    
> 224.0.0.251     5353    udp     DNS     DNS_Conn_count_too_large
> 1440025022.962049     CrkZft38lJ0YqGqxsl      fe80::2acf:e9ff:fe1a:9aed       
> 5353    ff02::fb        5353    udp     DNS     DNS_Conn_count_too_large
> for just UDP and port 5353 - multicast DNS
> Pcaps attached.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to