- mismatch between conn's service and analyzer

Hi all,

At various occasions I’ve came across a conn log indicating a session’s service as dns (udp port 53).
Yet I do not see that UID from bro’s DNS log.

Any ideas why ?
Does conn’s service field should indicate the bro analyzer being used ?

Thank you
B

At various occasions I've came across a conn log indicating a session's
service as dns (udp port 53).
Yet I do not see that UID from bro's DNS log.

Any ideas why ?

You most likely aren't finding the "connections" associted with the query because Bro hasn't timed out the fake UDP connection yet. Since UDP doesn't establish connections, Bro has to create fake connections when a pair of hosts begin communicating back and forth using the same ports. It's very possible that you are looking for the connection during the period where Bro is still tracking the "connection". The default timeout is 1 minute, but that means that if a host is continuing to do queries to another host using the same ephemeral port (which is very common) it can take a very long time before that fake UDP connection times out.

Does conn's service field should indicate the bro analyzer being used ?

Yes. I suspect if you search in your conn log for "dns" you'll probably find some connections.

   .Seth