can't issue DNS

[gnomex]

I've been trying to run your image to analyse my pcaps and I got some issues

Running as described in the README:

docker run --rm -v <custom_path>:/pcap -v <custom_path>/local.bro:/usr/local/share/bro/site/local.bro blacktop/bro -C -r 100000.pcap local
WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
1489729328.697138 warning: can't issue DNS request
1489729360.105610 warning: can't issue DNS request
1489729371.531733 warning: can't issue DNS request
1489729474.622960 warning: can't issue DNS request
1489729492.326755 warning: can't issue DNS request
1489729494.033201 warning: can't issue DNS request
1489729590.499785 warning: can't issue DNS request

docker run --rm -v <custom_path>:/pcap -v <custom_path>/local.bro:/usr/local/share/bro/site/local.bro blacktop/bro -C -r 100000.pcap local "Site::local_nets += { 192.168.11.0/24 }"
1489729328.697138 warning in <params>, line 1: can't issue DNS request
1489729360.105610 warning in <params>, line 1: can't issue DNS request
1489729371.531733 warning in <params>, line 1: can't issue DNS request
1489729474.622960 warning in <params>, line 1: can't issue DNS request
1489729492.326755 warning in <params>, line 1: can't issue DNS request
1489729494.033201 warning in <params>, line 1: can't issue DNS request
1489729590.499785 warning in <params>, line 1: can't issue DNS request

I've tried with 192.168.11.0/24, 127.0.0.11/24, 127.0.0.11/16, 172.17.0.1/16

And

docker run --rm -v <custom_path>:/pcap -v <custom_path>/local.bro:/usr/local/share/bro/site/local.bro blacktop/bro -C -r 100000.pcap"
# returns nothing, even the notice file is missing

The pcap file has malicious traffic.

Testing DNS with another image:

docker run -it --rm busybox sh -c 'cat /etc/resolv.conf && echo && nslookup google.com'
nameserver 8.8.8.8
nameserver 8.8.4.4

Server:    8.8.8.8
Address 1: 8.8.8.8 google-public-dns-a.google.com

Name:      google.com
Address 1: 2800:3f0:4001:80d::200e
Address 2: 216.58.202.110 gru06s10-in-f110.1e100.net

Can you help me to fix it?

[blacktop]

I think this might be related to this: gliderlabs/docker-alpine#255 (comment)

[blacktop]

I'm still looking into it, but these warnings might not be actual DNS failures?

$ docker run --rm -it --entrypoint=sh blacktop/bro:2.5 -c 'cat /etc/resolv.conf && echo && nslookup google.com'

# Generated by dhcpcd from eth0.dhcp
# /etc/resolv.conf.head can replace this line
nameserver 192.168.65.1
# /etc/resolv.conf.tail can replace this line

nslookup: can't resolve '(null)': Name does not resolve

Name:      google.com
Address 1: 172.217.11.238 den02s01-in-f14.1e100.net

---

$ docker run --rm -it --entrypoint=sh --dns=8.8.8.8 blacktop/bro:2.5 -c 'cat /etc/resolv.conf && echo && nslookup google.com'

nameserver 8.8.8.8

nslookup: can't resolve '(null)': Name does not resolve

Name:      google.com
Address 1: 172.217.11.238 den02s01-in-f14.1e100.net
Address 2: 2607:f8b0:400f:800::200e den02s01-in-x0e.1e100.net

[blacktop]

In your last cmd try adding local after the pcap

[gnomex]

You are right, the warning is an alpine issue.

The pcap I am testing is located at packet total

docker run --rm -v /<custom_path>:/pcap -v /<custom_path>/local.bro:/usr/local/share/bro/site/local.bro blacktop/bro -C -r 100000.pcap local 
WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
1489729328.697138 warning: can't issue DNS request
1489729360.105610 warning: can't issue DNS request
1489729371.531733 warning: can't issue DNS request
1489729474.622960 warning: can't issue DNS request
1489729492.326755 warning: can't issue DNS request
1489729494.033201 warning: can't issue DNS request
1489729590.499785 warning: can't issue DNS request

The only missing file is the notice.log, maybe it's a bad configuration, I am going to tune bro parameters and scripts

[blacktop]

👍 I'm going to close this out, but feel free to re-open or make a new issue if there is still a problem.