2 Aug
2020
2 Aug
'20
8:46 p.m.
Hi
I'm investigating dns.log file with below command:
cat dns.log | bro-cut id.orig_h query | sort -r | uniq -c
and in output i see this line:
1 10.10.27.15 *\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
but i do not know what is this and what is meaning.
please let me know what is meaning and does it mean a threat or not?
Regards,
Mahdi
3 Aug
3 Aug
4 a.m.
That is netbios lookups. What is the port?
Shane
On Sun, Aug 2, 2020, 23:48 Mahdi Bashiri <mahdi.bashiri(a)gmail.com> wrote:
Hi
I'm investigating dns.log file with below command:
cat dns.log | bro-cut id.orig_h query | sort -r | uniq -c
and in output i see this line:
1 10.10.27.15 *\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
but i do not know what is this and what is meaning.
please let me know what is meaning and does it mean a threat or not?
Regards,
Mahdi
zeek mailing list -- zeek(a)lists.zeek.org
To unsubscribe send an email to zeek-leave(a)lists.zeek.org
7:44 a.m.
Mahdi,
I have seen this data as well in the DNS log. From what we've been able to
determine it is not DNS traffic but name resolution over NetBIOS.
Thank you,
Jeff Lang
---------------------------------------------------
Jeffry Lang
Director Cyber Defense Operations
IT Security Operations (0284)
1300 Torgersen Hall, Virginia Tech
620 Drillfield Dr.
Blacksburg VA 24061
540-231-4117
jefflang(a)vt.edu
On Sun, Aug 2, 2020 at 11:48 PM Mahdi Bashiri <mahdi.bashiri(a)gmail.com>
wrote:
Hi
I'm investigating dns.log file with below command:
cat dns.log | bro-cut id.orig_h query | sort -r | uniq -c
and in output i see this line:
1 10.10.27.15 *\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
but i do not know what is this and what is meaning.
please let me know what is meaning and does it mean a threat or not?
Regards,
Mahdi
zeek mailing list -- zeek(a)lists.zeek.org
To unsubscribe send an email to zeek-leave(a)lists.zeek.org
5 Aug
5 Aug
7:10 a.m.
we see that commonly with port 5353, multicast DNS. It has also resulted in a lot of
noise, so we ended up removing 5353 from the config.
690
days inactive
692
days old
3 comments
4 participants
participants (4)
-
Jeffry Lang -
kiran@vangaveti.com -
Mahdi Bashiri -
Shane Mullins