DNS Investigation

Mahdi_Bashiri · August 3, 2020, 3:46am

Hi
I’m investigating dns.log file with below command:
cat dns.log | bro-cut id.orig_h query | sort -r | uniq -c
and in output i see this line:
1 10.10.27.15 *\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
but i do not know what is this and what is meaning.
please let me know what is meaning and does it mean a threat or not?

Regards,
Mahdi

Shane_Mullins · August 3, 2020, 11:00am

That is netbios lookups. What is the port?

Shane

Jeffry_Lang · August 3, 2020, 2:44pm

Mahdi,

I have seen this data as well in the DNS log. From what we’ve been able to determine it is not DNS traffic but name resolution over NetBIOS.

Kiran_Vangaveti · August 5, 2020, 2:10pm

we see that commonly with port 5353, multicast DNS. It has also resulted in a lot of noise, so we ended up removing 5353 from the config.
zeek mailing list -- zeek@lists.zeek.org
To unsubscribe send an email to zeek-leave@lists.zeek.org

Topic		Replies	Views
Issues with my DNS Filter	1	77	March 27, 2024
Duplicate DNS packets Zeek	4	109	May 6, 2022
DNS forwarding + weird.log Zeek	1	85	May 6, 2022
Unexpected dns.log results on zeek 5.1 Zeek analyzer , dns	3	286	January 19, 2023
Disable dns.log Zeek	7	170	May 6, 2022

DNS Investigation

Related Topics