Duplication of packets and UID's

My Bro setup is part of Security Onion, but they recommended coming to Bro for assistance. Another user on the SO mailing list reported similar problems (https://groups.google.com/forum/#!topic/security-onion/7x27uKttByM). I’ve sent this email twice already, but the attachment is apparently too large and a mod needs to approve it, which hasn’t happened for almost two weeks. So this will be sent without the sostat attachment.

This is running on Ubuntu 12.4.4 w/ the older 3.8 kernel (as specified in Security Onion install). Bro version is 2.2. Let me know what additional information to provide.

1. Why are lines 837 & 838 duplicates of each other, with different time stamps?

I believe this might be a bug that we have fixed in the upcoming 2.3 release. We did some DNS script refactoring. It's a surprisingly hard protocol to get just right.

2. Why are lines 1130 & 1131 duplicated immediately after (lines 1132 & 1133), with the same timestamps?

I suspect that's the same bug expressing itself again.

3. Why do both sections of packets, 10 seconds apart, have the same UID?

Because it's UDP. :slight_smile: Bro creates mock "connections" for UDP and the client in this case was using the same ephemeral port for multiple queries so they showed up as part of the same "connection". (all quotes very deliberate).