Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

known-services missing some DNS connections? #455

Open
mauropalumbo75 opened this issue Jul 8, 2019 · 0 comments

Comments

Projects
None yet
2 participants
@mauropalumbo75
Copy link
Contributor

commented Jul 8, 2019

I believe some DNS are missing in the known-services log because of this if statement:

            if ( "DNS" in c$service && c$resp$size == 0 )
                    # For dns, require that the server talks.
                    return;
            }

in the script known-services.zeek. The above if statement is called sometimes after protocol confirmation and before the field c$resp$size is properly filled some time later for each connection. I attach a couple of pcap files where the problem occurs.

dns-caa.pcap.gz
http.cap.gz

I am not sure there is an easy fix for this. I doubt trying to fill c$resp$size earlier in a connection lifetime is the right way to go. Alternatively, one can log known-services for DNS only when the connection ends (using the event connection_state_remove), but in this way it would be logged quite later...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.