Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.
It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:
that is, exploded:
The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:
The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.
The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.
Should you need any more info about my setup, please let me know.
Bro 2.1 running on SecurityOnion 12.04-2
It seems to be working correctly for me. Could you send a packet capture that exhibits the problem?
PCAP file containing a request and response of a nonexistent domain, the server is answering with RCODE=3 (NXDOMAIN).
This happens both with my internal DNS server and with Google's 126.96.36.199.
By the way, the logs I pasted above are extracted from ELSA; however, things don't change if I read bro's logs directly:
It's fixed in 2.2 (git master). I think this was related to some bugs I fixed a while ago in the DNS base scripts. I'm closing the ticket because we aren't going to back port the fix to prior releases.
Thanks Seth, I'll wait for Doug to include Bro 2.2 in Security Onion