I am using Zeek to run a PCAP and then parsing/processing the generated logs to make sense of the traffic.
The issue I’m having is with the DNS parser. It is not always producing what I’m expecting it to.
In particular, it doesn’t always parse the type from the DNS traffic PCAP, which is one of the markers my code looks for.
If I look using Wireshark with the same PCAP I see that the type “A” is present, as I would expect it to be.
However, the resulting Zeek dns.log is missing that field in particular.
I need Zeek to parse this type field out so I know to look into the domain visited to make sure it is legitimate.
Are there any known issues with the DNS parser, or any known solutions to this particular problem?
Here is an example generated by navigating to a webpage
1565970799.068532 CK9bYM3SGJHwpPNW12 192.168.100.3 19024 192.168.100.1 53 udp 10896 - rl.ammyy.com - - - - 0 NOERROR F F F T 0 22.214.171.124 278.000000 F
To the best of my understanding, the field which is marked empty "-“, 2 fields prior to NOERROR field should be “A”.
This works for other instances of traffic I can find in PCAPs from the internet, but not from the ones generated by me capturing local traffic while navigating to the website.
P.S. if I left out any important information please let me know so I can include it, I’m still new to the IDS