Hi All,
I was looking into the bro weird log file, and finally decided to spare some time
tuning down the dns_unmatched_* messages in weird.log, as we usually get many
to them.
So to begin with, first I looked at the weird.log, grep-ed the very first entry for dns_unmatched_msg,
and then grep-ed everything in *.log corresponding to that uid:
$ less *.log | grep “CgOnko1s28TKjoaB07”
1512410399.813927 CgOnko1s28TKjoaB07 34.228.158.69 41438 128.175.13.16 53 udp dns 0.003451 42 2638 SF F T 0 Dd 1 70 22694 (empty) worker-2-18
1512410399.813927 CgOnko1s28TKjoaB07 34.228.158.69 41438 128.175.13.16 53 udp 22592 0.003411 dns1.udel.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.175.13.16 86400.000000 F
1512410399.817378 CgOnko1s28TKjoaB07 34.228.158.69 41438 128.175.13.16 53 udp 22592 - dns1.udel.edu - - - - 0 NOERROR T F F F 0 128.175.13.16 86400.000000 F
1512410399.817338 CgOnko1s28TKjoaB07 34.228.158.69 41438 128.175.13.16 53 DNS_RR_unknown_type 46 F worker-2-18
1512410399.817378 CgOnko1s28TKjoaB07 34.228.158.69 41438 128.175.13.16 53 dns_unmatched_reply - F worker-2-18
1512410409.813946 CgOnko1s28TKjoaB07 34.228.158.69 41438 128.175.13.16 53 dns_unmatched_msg - F worker-2-18
Looks like Bro seeing proper connection (SF) in conn.log enrty,
and dns.log logging the query and response, the second log entry above.
I am unsure of the third entry above, corresponding to dns.log.
Any reason, weird.log would log a dns_unmatched* log for this connection?
P.S: we have disabled the checksum offloading on the NIC.
Any thoughts?
Thanks!
Fatema.
