From: Jason Ish Date: Thu, 4 Jul 2024 23:49:58 +0000 (-0600) Subject: bug-1158: dns v2 and v3 tests X-Git-Tag: suricata-7.0.7~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aef696ae6f181106fe37e9a99731823bc948b14d;p=thirdparty%2Fsuricata-verify.git bug-1158: dns v2 and v3 tests As this is a DNS test, also move into the dns/ folder. --- diff --git a/tests/bug-1158/input.pcap b/tests/dns/bug-1158/input.pcap similarity index 100% rename from tests/bug-1158/input.pcap rename to tests/dns/bug-1158/input.pcap diff --git a/tests/dns/bug-1158/test.yaml b/tests/dns/bug-1158/test.yaml new file mode 100644 index 000000000..5da1f2444 --- /dev/null +++ b/tests/dns/bug-1158/test.yaml @@ -0,0 +1,4223 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 49711 + dns.queries[0].rrname: AAAAAO1kQA.=auth.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 0 + dns.type: request + event_type: dns + pcap_cnt: 1 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAO1kAFE5TE9QTjFFN09RN1lYSDk + dns.answers[0].rrname: AAAAAO1kQA.=auth.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: AAAAAO1kQA.=auth.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAO1kAFE5TE9QTjFFN09RN1lYSDk + dns.grouped.TXT[1]: '' + dns.id: 49711 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: AAAAAO1kQA.=auth.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 2 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 45160 + dns.queries[0].rrname: hvOBgAABAEI5ODFGMjk4MEMyRTFFOEZDREI1MEZGRTA2OEIxQzMwODcyQTlBQjc.=auth.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 2 + dns.type: request + event_type: dns + pcap_cnt: 3 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvOBgAABAA + dns.answers[0].rrname: hvOBgAABAEI5ODFGMjk4MEMyRTFFOEZDREI1MEZGRTA2OEIxQzMwODcyQTlBQjc.=auth.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvOBgAABAEI5ODFGMjk4MEMyRTFFOEZDREI1MEZGRTA2OEIxQzMwODcyQTlBQjc.=auth.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvOBgAABAA + dns.grouped.TXT[1]: '' + dns.id: 45160 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvOBgAABAEI5ODFGMjk4MEMyRTFFOEZDREI1MEZGRTA2OEIxQzMwODcyQTlBQjc.=auth.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 4 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 45946 + dns.queries[0].rrname: hvP1kF5BAHNzaA.=connect.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 4 + dns.type: request + event_type: dns + pcap_cnt: 5 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvP1kF5BAA + dns.answers[0].rrname: hvP1kF5BAHNzaA.=connect.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvP1kF5BAHNzaA.=connect.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvP1kF5BAA + dns.grouped.TXT[1]: '' + dns.id: 45946 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvP1kF5BAHNzaA.=connect.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 6 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 20792 + dns.queries[0].rrname: hvMAAAABBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 6 + dns.type: request + event_type: dns + pcap_cnt: 7 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAABGFNTSC0yLjAtT3BlblNTSF81LjVwMSBEZWJpYW4tNitzcXVlZXplMg + dns.answers[0].rrname: hvMAAAABBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: 0K + dns.answers[1].rrname: hvMAAAABBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: '' + dns.answers[2].rrname: hvMAAAABBA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAABGFNTSC0yLjAtT3BlblNTSF81LjVwMSBEZWJpYW4tNitzcXVlZXplMg + dns.grouped.TXT[1]: 0K + dns.grouped.TXT[2]: '' + dns.id: 20792 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAABBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 8 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 6169 + dns.queries[0].rrname: hvMAAQACBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 8 + dns.type: request + event_type: dns + pcap_cnt: 9 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 3701 + dns.queries[0].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 9 + dns.type: request + event_type: dns + pcap_cnt: 10 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 61227 + dns.queries[0].rrname: hvMAAAAEBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 10 + dns.type: request + event_type: dns + pcap_cnt: 11 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 25286 + dns.queries[0].rrname: hvMAAAAFCAAABPQIFCP3jBGyCsqKjf9o1jmtOwgAAAC3ZWNkaC1zaGEyLW5pc3R.wMjU2LGVjZGgtc2hhMi1uaXN0cDM4NCxlY2RoLXNoYTItbmlzdHA1MjEsZGlmZm.llLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZp.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 11 + dns.type: request + event_type: dns + pcap_cnt: 12 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 16087 + dns.queries[0].rrname: hvMAAAAGBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 12 + dns.type: request + event_type: dns + pcap_cnt: 13 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 35836 + dns.queries[0].rrname: hvMAAAAHCGUtaGVsbG1hbi1ncm91cC1leGNoYW5nZS1zaGExLGRpZmZpZS1oZWx.sbWFuLWdyb3VwMTQtc2hhMSxkaWZmaWUtaGVsbG1hbi1ncm91cDEtc2hhMQAAAT.pzc2gtcnNhLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1yc2Et.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 13 + dns.type: request + event_type: dns + pcap_cnt: 14 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 40074 + dns.queries[0].rrname: hvMAAAAIBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 14 + dns.type: request + event_type: dns + pcap_cnt: 15 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 12387 + dns.queries[0].rrname: hvMAAAAJCGNlcnQtdjAwQG9wZW5zc2guY29tLHNzaC1yc2EsZWNkc2Etc2hhMi1.uaXN0cDI1Ni1jZXJ0LXYwMUBvcGVuc3NoLmNvbSxlY2RzYS1zaGEyLW5pc3RwMz.g0LWNlcnQtdjAxQG9wZW5zc2guY29tLGVjZHNhLXNoYTItbmlz.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 15 + dns.type: request + event_type: dns + pcap_cnt: 16 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 38415 + dns.queries[0].rrname: hvMAAAAKBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 16 + dns.type: request + event_type: dns + pcap_cnt: 17 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 25222 + dns.queries[0].rrname: hvMAAAALCHRwNTIxLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1kc3MtY2VydC1.2MDFAb3BlbnNzaC5jb20sc3NoLWRzcy1jZXJ0LXYwMEBvcGVuc3NoLmNvbSxlY2.RzYS1zaGEyLW5pc3RwMjU2LGVjZHNhLXNoYTItbmlzdHAzODQs.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 17 + dns.type: request + event_type: dns + pcap_cnt: 18 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 20916 + dns.queries[0].rrname: hvMAAAAMBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 18 + dns.type: request + event_type: dns + pcap_cnt: 19 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 17352 + dns.queries[0].rrname: hvMAAAANCGVjZHNhLXNoYTItbmlzdHA1MjEsc3NoLWRzcwAAAJ1hZXMxMjgtY3R.yLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYW.VzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEy.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 19 + dns.type: request + event_type: dns + pcap_cnt: 20 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 9521 + dns.queries[0].rrname: hvMAAAAOBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 20 + dns.type: request + event_type: dns + pcap_cnt: 21 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 36146 + dns.queries[0].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 21 + dns.type: request + event_type: dns + pcap_cnt: 22 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 30696 + dns.queries[0].rrname: hvMAAAAQBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 22 + dns.type: request + event_type: dns + pcap_cnt: 23 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 18507 + dns.queries[0].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 23 + dns.type: request + event_type: dns + pcap_cnt: 24 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 3486 + dns.queries[0].rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 24 + dns.type: request + event_type: dns + pcap_cnt: 25 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 65517 + dns.queries[0].rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 25 + dns.type: request + event_type: dns + pcap_cnt: 26 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 23977 + dns.queries[0].rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 26 + dns.type: request + event_type: dns + pcap_cnt: 27 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 31995 + dns.queries[0].rrname: hvMAAAAVCGIAAAAAAAAAAAAAAAAAAAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 27 + dns.type: request + event_type: dns + pcap_cnt: 28 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAACGAAAAwwKFGdhVAbbSHrj0XO0W/RFatoAAAB+ZGlmZmllLWhlbGxtYW + dns.answers[0].rrname: hvMAAQACBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: 4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZpZS1oZWxsbWFuLWdyb3VwLWV4Y + dns.answers[1].rrname: hvMAAQACBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: 2hhbmdlLXNoYTEsZGlmZmllLWhlbGxtYW4tZ3JvdXAxNC1zaGExLGRpZmZpZS1o + dns.answers[2].rrname: hvMAAQACBA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: ZWxsbWFuLWdyb3VwMS1zaGExAAAAD3NzaC1yc2Esc3NoLWRzcwAAAJ1hZXMxMjg + dns.answers[3].rrname: hvMAAQACBA.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: tY3RyLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMj + dns.answers[4].rrname: hvMAAQACBA.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.answers[5].rdata: gsYWVzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEyOC1jYmMsY + dns.answers[5].rrname: hvMAAQACBA.srv.tunnel.com + dns.answers[5].rrtype: TXT + dns.answers[5].ttl: 3 + dns.answers[6].rdata: WVzMTkyLWNiYyxhZXM + dns.answers[6].rrname: hvMAAQACBA.srv.tunnel.com + dns.answers[6].rrtype: TXT + dns.answers[6].ttl: 3 + dns.answers[7].rdata: '' + dns.answers[7].rrname: hvMAAQACBA.srv.tunnel.com + dns.answers[7].rrtype: TXT + dns.answers[7].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAACGAAAAwwKFGdhVAbbSHrj0XO0W/RFatoAAAB+ZGlmZmllLWhlbGxtYW + dns.grouped.TXT[1]: 4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZpZS1oZWxsbWFuLWdyb3VwLWV4Y + dns.grouped.TXT[2]: 2hhbmdlLXNoYTEsZGlmZmllLWhlbGxtYW4tZ3JvdXAxNC1zaGExLGRpZmZpZS1o + dns.grouped.TXT[3]: ZWxsbWFuLWdyb3VwMS1zaGExAAAAD3NzaC1yc2Esc3NoLWRzcwAAAJ1hZXMxMjg + dns.grouped.TXT[4]: tY3RyLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMj + dns.grouped.TXT[5]: gsYWVzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEyOC1jYmMsY + dns.grouped.TXT[6]: WVzMTkyLWNiYyxhZXM + dns.grouped.TXT[7]: '' + dns.id: 6169 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAQACBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 29 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAADGDI1Ni1jYmMsYXJjZm91cixyaWpuZGFlbC1jYmNAbHlzYXRvci5saX + dns.answers[0].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: Uuc2UAAACdYWVzMTI4LWN0cixhZXMxOTItY3RyLGFlczI1Ni1jdHIsYXJjZm91c + dns.answers[1].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: jI1NixhcmNmb3VyMTI4LGFlczEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2Jj + dns.answers[2].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: LGNhc3QxMjgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5 + dns.answers[3].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAGlobWFjLW1kNSxobWFjLXNoYTEsdW + dns.answers[4].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.answers[5].rdata: 1hYy02NEBvcGVuc3NoLmNvbSxobWFjLXJpcGVtZDE + dns.answers[5].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.answers[5].rrtype: TXT + dns.answers[5].ttl: 3 + dns.answers[6].rdata: '' + dns.answers[6].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.answers[6].rrtype: TXT + dns.answers[6].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAADGDI1Ni1jYmMsYXJjZm91cixyaWpuZGFlbC1jYmNAbHlzYXRvci5saX + dns.grouped.TXT[1]: Uuc2UAAACdYWVzMTI4LWN0cixhZXMxOTItY3RyLGFlczI1Ni1jdHIsYXJjZm91c + dns.grouped.TXT[2]: jI1NixhcmNmb3VyMTI4LGFlczEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2Jj + dns.grouped.TXT[3]: LGNhc3QxMjgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5 + dns.grouped.TXT[4]: kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAGlobWFjLW1kNSxobWFjLXNoYTEsdW + dns.grouped.TXT[5]: 1hYy02NEBvcGVuc3NoLmNvbSxobWFjLXJpcGVtZDE + dns.grouped.TXT[6]: '' + dns.id: 3701 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 30 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAEGDYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29tLGhtYWMtc2hhMS + dns.answers[0].rrname: hvMAAAAEBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: 05NixobWFjLW1kNS05NgAAAGlobWFjLW1kNSxobWFjLXNoYTEsdW1hYy02NEBvc + dns.answers[1].rrname: hvMAAAAEBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: GVuc3NoLmNvbSxobWFjLXJpcGVtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3No + dns.answers[2].rrname: hvMAAAAEBA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: LmNvbSxobWFjLXNoYTEtOTYsaG1hYy1tZDUtOTYAAAAVbm9uZSx6bGliQG9wZW5 + dns.answers[3].rrname: hvMAAAAEBA.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: zc2guY29tAAAAFW5vbmUsemxpYkBvcGVuc3NoLmNvbQAAAAAAAAAAAAAAAAAAAA + dns.answers[4].rrname: hvMAAAAEBA.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.answers[5].rdata: AAAAAAAAAA + dns.answers[5].rrname: hvMAAAAEBA.srv.tunnel.com + dns.answers[5].rrtype: TXT + dns.answers[5].ttl: 3 + dns.answers[6].rdata: '' + dns.answers[6].rrname: hvMAAAAEBA.srv.tunnel.com + dns.answers[6].rrtype: TXT + dns.answers[6].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAEGDYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29tLGhtYWMtc2hhMS + dns.grouped.TXT[1]: 05NixobWFjLW1kNS05NgAAAGlobWFjLW1kNSxobWFjLXNoYTEsdW1hYy02NEBvc + dns.grouped.TXT[2]: GVuc3NoLmNvbSxobWFjLXJpcGVtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3No + dns.grouped.TXT[3]: LmNvbSxobWFjLXNoYTEtOTYsaG1hYy1tZDUtOTYAAAAVbm9uZSx6bGliQG9wZW5 + dns.grouped.TXT[4]: zc2guY29tAAAAFW5vbmUsemxpYkBvcGVuc3NoLmNvbQAAAAAAAAAAAAAAAAAAAA + dns.grouped.TXT[5]: AAAAAAAAAA + dns.grouped.TXT[6]: '' + dns.id: 61227 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAEBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 31 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 4289 + dns.queries[0].rrname: hvMAAgAWBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 31 + dns.type: request + event_type: dns + pcap_cnt: 32 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 53836 + dns.queries[0].rrname: hvMAAwAXCAAAABQGIgAABAAAAAQAAAAgAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 32 + dns.type: request + event_type: dns + pcap_cnt: 33 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 44271 + dns.queries[0].rrname: hvMABAAYBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 33 + dns.type: request + event_type: dns + pcap_cnt: 34 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAFEA + dns.answers[0].rrname: hvMAAAAFCAAABPQIFCP3jBGyCsqKjf9o1jmtOwgAAAC3ZWNkaC1zaGEyLW5pc3R.wMjU2LGVjZGgtc2hhMi1uaXN0cDM4NCxlY2RoLXNoYTItbmlzdHA1MjEsZGlmZm.llLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZp.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAAFCAAABPQIFCP3jBGyCsqKjf9o1jmtOwgAAAC3ZWNkaC1zaGEyLW5pc3R.wMjU2LGVjZGgtc2hhMi1uaXN0cDM4NCxlY2RoLXNoYTItbmlzdHA1MjEsZGlmZm.llLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZp.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAFEA + dns.grouped.TXT[1]: '' + dns.id: 25286 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAFCAAABPQIFCP3jBGyCsqKjf9o1jmtOwgAAAC3ZWNkaC1zaGEyLW5pc3R.wMjU2LGVjZGgtc2hhMi1uaXN0cDM4NCxlY2RoLXNoYTItbmlzdHA1MjEsZGlmZm.llLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZp.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 35 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAGEA + dns.answers[0].rrname: hvMAAAAGBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAAGBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAGEA + dns.grouped.TXT[1]: '' + dns.id: 16087 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAGBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 36 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAHEA + dns.answers[0].rrname: hvMAAAAHCGUtaGVsbG1hbi1ncm91cC1leGNoYW5nZS1zaGExLGRpZmZpZS1oZWx.sbWFuLWdyb3VwMTQtc2hhMSxkaWZmaWUtaGVsbG1hbi1ncm91cDEtc2hhMQAAAT.pzc2gtcnNhLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1yc2Et.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAAHCGUtaGVsbG1hbi1ncm91cC1leGNoYW5nZS1zaGExLGRpZmZpZS1oZWx.sbWFuLWdyb3VwMTQtc2hhMSxkaWZmaWUtaGVsbG1hbi1ncm91cDEtc2hhMQAAAT.pzc2gtcnNhLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1yc2Et.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAHEA + dns.grouped.TXT[1]: '' + dns.id: 35836 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAHCGUtaGVsbG1hbi1ncm91cC1leGNoYW5nZS1zaGExLGRpZmZpZS1oZWx.sbWFuLWdyb3VwMTQtc2hhMSxkaWZmaWUtaGVsbG1hbi1ncm91cDEtc2hhMQAAAT.pzc2gtcnNhLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1yc2Et.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 37 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAIEA + dns.answers[0].rrname: hvMAAAAIBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAAIBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAIEA + dns.grouped.TXT[1]: '' + dns.id: 40074 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAIBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 38 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAJEA + dns.answers[0].rrname: hvMAAAAJCGNlcnQtdjAwQG9wZW5zc2guY29tLHNzaC1yc2EsZWNkc2Etc2hhMi1.uaXN0cDI1Ni1jZXJ0LXYwMUBvcGVuc3NoLmNvbSxlY2RzYS1zaGEyLW5pc3RwMz.g0LWNlcnQtdjAxQG9wZW5zc2guY29tLGVjZHNhLXNoYTItbmlz.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAAJCGNlcnQtdjAwQG9wZW5zc2guY29tLHNzaC1yc2EsZWNkc2Etc2hhMi1.uaXN0cDI1Ni1jZXJ0LXYwMUBvcGVuc3NoLmNvbSxlY2RzYS1zaGEyLW5pc3RwMz.g0LWNlcnQtdjAxQG9wZW5zc2guY29tLGVjZHNhLXNoYTItbmlz.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAJEA + dns.grouped.TXT[1]: '' + dns.id: 12387 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAJCGNlcnQtdjAwQG9wZW5zc2guY29tLHNzaC1yc2EsZWNkc2Etc2hhMi1.uaXN0cDI1Ni1jZXJ0LXYwMUBvcGVuc3NoLmNvbSxlY2RzYS1zaGEyLW5pc3RwMz.g0LWNlcnQtdjAxQG9wZW5zc2guY29tLGVjZHNhLXNoYTItbmlz.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 39 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 3462 + dns.queries[0].rrname: hvMABQAZBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 39 + dns.type: request + event_type: dns + pcap_cnt: 40 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAKEA + dns.answers[0].rrname: hvMAAAAKBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAAKBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAKEA + dns.grouped.TXT[1]: '' + dns.id: 38415 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAKBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 41 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAALEA + dns.answers[0].rrname: hvMAAAALCHRwNTIxLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1kc3MtY2VydC1.2MDFAb3BlbnNzaC5jb20sc3NoLWRzcy1jZXJ0LXYwMEBvcGVuc3NoLmNvbSxlY2.RzYS1zaGEyLW5pc3RwMjU2LGVjZHNhLXNoYTItbmlzdHAzODQs.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAALCHRwNTIxLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1kc3MtY2VydC1.2MDFAb3BlbnNzaC5jb20sc3NoLWRzcy1jZXJ0LXYwMEBvcGVuc3NoLmNvbSxlY2.RzYS1zaGEyLW5pc3RwMjU2LGVjZHNhLXNoYTItbmlzdHAzODQs.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAALEA + dns.grouped.TXT[1]: '' + dns.id: 25222 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAALCHRwNTIxLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1kc3MtY2VydC1.2MDFAb3BlbnNzaC5jb20sc3NoLWRzcy1jZXJ0LXYwMEBvcGVuc3NoLmNvbSxlY2.RzYS1zaGEyLW5pc3RwMjU2LGVjZHNhLXNoYTItbmlzdHAzODQs.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 42 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 52985 + dns.queries[0].rrname: hvMABgAaBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 42 + dns.type: request + event_type: dns + pcap_cnt: 43 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAANEA + dns.answers[0].rrname: hvMAAAANCGVjZHNhLXNoYTItbmlzdHA1MjEsc3NoLWRzcwAAAJ1hZXMxMjgtY3R.yLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYW.VzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEy.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAANCGVjZHNhLXNoYTItbmlzdHA1MjEsc3NoLWRzcwAAAJ1hZXMxMjgtY3R.yLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYW.VzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEy.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAANEA + dns.grouped.TXT[1]: '' + dns.id: 17352 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAANCGVjZHNhLXNoYTItbmlzdHA1MjEsc3NoLWRzcwAAAJ1hZXMxMjgtY3R.yLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYW.VzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEy.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 44 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAMEA + dns.answers[0].rrname: hvMAAAAMBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAAMBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAMEA + dns.grouped.TXT[1]: '' + dns.id: 20916 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAMBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 45 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 12894 + dns.queries[0].rrname: hvMABwAbBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 45 + dns.type: request + event_type: dns + pcap_cnt: 46 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAOGAAAAJQIHwAAAIEA3kn8kGmZTDedK2Vj79N++uZ4Xusd0KErCQqsJy + dns.answers[0].rrname: hvMAAAAOBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: si34xkpKKre5nOC3eppS4IM9UtU7JYzt/9F13Io3Zqm5gHNiZG3JIVYow/SvDgj + dns.answers[1].rrname: hvMAAAAOBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: QCrYKO55VuuR+gmUdoMFaJzVd2wY2XK4d3eTAyX3JlC/WXphn+lDnLhx4VBHt0o + dns.answers[2].rrname: hvMAAAAOBA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: 3idPj38AAAABBQAAAAAAAAAA + dns.answers[3].rrname: hvMAAAAOBA.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: '' + dns.answers[4].rrname: hvMAAAAOBA.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAOGAAAAJQIHwAAAIEA3kn8kGmZTDedK2Vj79N++uZ4Xusd0KErCQqsJy + dns.grouped.TXT[1]: si34xkpKKre5nOC3eppS4IM9UtU7JYzt/9F13Io3Zqm5gHNiZG3JIVYow/SvDgj + dns.grouped.TXT[2]: QCrYKO55VuuR+gmUdoMFaJzVd2wY2XK4d3eTAyX3JlC/WXphn+lDnLhx4VBHt0o + dns.grouped.TXT[3]: 3idPj38AAAABBQAAAAAAAAAA + dns.grouped.TXT[4]: '' + dns.id: 9521 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAOBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 47 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 50286 + dns.queries[0].rrname: hvMACAAcBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 47 + dns.type: request + event_type: dns + pcap_cnt: 48 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 62058 + dns.queries[0].rrname: hvMACQAdCAAAAIwGIAAAAIAx3itE7XsxfNFkKSwpm/QL2R+3hW5GnOrZviY9/TR.O7d2QlxOeCwmGsxERu0+5DKpF6kwJroS1n8v8wLvqu3jSeOjVnYb7Fo3jRoLT3z.mxMiqSuKTuBNWXb5QoROHUYVRZIqMC+OtncdVw0LG0/FO/Kq8n.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 48 + dns.type: request + event_type: dns + pcap_cnt: 49 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 3337 + dns.queries[0].rrname: hvMACgAeBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 49 + dns.type: request + event_type: dns + pcap_cnt: 50 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 12496 + dns.queries[0].rrname: hvMACwAfCJpX6DB9O+5TQ+oIfbIAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 50 + dns.type: request + event_type: dns + pcap_cnt: 51 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAPGAAAArwHIQAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBAMeZsgTSPF + dns.answers[0].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: iV8e4x6RuZrc6Gfxd+2RW9K9ufjP+ekK5wwrJLS+mnDQgnvpF2tZxwL/lAFrOAC + dns.answers[1].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: Bk+gR4d4BHT/+cXkLyWMZ7EVnNCvWZpiHBpCGpW8GPq9N9KaQ4Zj9AQtO2IP1OV + dns.answers[2].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: eF8hj44cHiLQZODx/D0AqadElCCSrCULKiUxz/kIsw + dns.answers[3].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: '' + dns.answers[4].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAPGAAAArwHIQAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBAMeZsgTSPF + dns.grouped.TXT[1]: iV8e4x6RuZrc6Gfxd+2RW9K9ufjP+ekK5wwrJLS+mnDQgnvpF2tZxwL/lAFrOAC + dns.grouped.TXT[2]: Bk+gR4d4BHT/+cXkLyWMZ7EVnNCvWZpiHBpCGpW8GPq9N9KaQ4Zj9AQtO2IP1OV + dns.grouped.TXT[3]: eF8hj44cHiLQZODx/D0AqadElCCSrCULKiUxz/kIsw + dns.grouped.TXT[4]: '' + dns.id: 36146 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 52 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAQGIRArGzGzvCoATKDPTgtff/srH5ymzbNg0od9vzz4aW8Wr8Tmhh8Hr + dns.answers[0].rrname: hvMAAAAQBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: i/So62giHi5xFdwsQ+KLKqonfSeIwKD6xYCIOrjZlwkSbikOdoFHtywI4GP2LjL + dns.answers[1].rrname: hvMAAAAQBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: Axpb3JVkdx2+89Kxn+u2rCrlZnJcksYHrIJclGk1kVXtnsa6gUAAACBAMhe912g + dns.answers[2].rrname: hvMAAAAQBA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: +s8I0s1q6tMOfp/bijbAwkI64/L3S4xe5aE5VAqLH3fbm2QLpp2Rgd4kkg9ArCh + dns.answers[3].rrname: hvMAAAAQBA.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: sHuwEtOYMwn/jP8fgSJ7ibU/cjWaWPk1B3JNT41/Ha8WxaQmt+pHOGXk5MdYVWn + dns.answers[4].rrname: hvMAAAAQBA.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.answers[5].rdata: CvjI1cDEB7jSSMzC0AGicOJjtzNaufUlhDF3RaAAABDwAAAAdzc2gtcnNhAAABA + dns.answers[5].rrname: hvMAAAAQBA.srv.tunnel.com + dns.answers[5].rrtype: TXT + dns.answers[5].ttl: 3 + dns.answers[6].rdata: IqyUmDDWfgUl2HH8ck + dns.answers[6].rrname: hvMAAAAQBA.srv.tunnel.com + dns.answers[6].rrtype: TXT + dns.answers[6].ttl: 3 + dns.answers[7].rdata: '' + dns.answers[7].rrname: hvMAAAAQBA.srv.tunnel.com + dns.answers[7].rrtype: TXT + dns.answers[7].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAQGIRArGzGzvCoATKDPTgtff/srH5ymzbNg0od9vzz4aW8Wr8Tmhh8Hr + dns.grouped.TXT[1]: i/So62giHi5xFdwsQ+KLKqonfSeIwKD6xYCIOrjZlwkSbikOdoFHtywI4GP2LjL + dns.grouped.TXT[2]: Axpb3JVkdx2+89Kxn+u2rCrlZnJcksYHrIJclGk1kVXtnsa6gUAAACBAMhe912g + dns.grouped.TXT[3]: +s8I0s1q6tMOfp/bijbAwkI64/L3S4xe5aE5VAqLH3fbm2QLpp2Rgd4kkg9ArCh + dns.grouped.TXT[4]: sHuwEtOYMwn/jP8fgSJ7ibU/cjWaWPk1B3JNT41/Ha8WxaQmt+pHOGXk5MdYVWn + dns.grouped.TXT[5]: CvjI1cDEB7jSSMzC0AGicOJjtzNaufUlhDF3RaAAABDwAAAAdzc2gtcnNhAAABA + dns.grouped.TXT[6]: IqyUmDDWfgUl2HH8ck + dns.grouped.TXT[7]: '' + dns.id: 30696 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAQBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 53 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAARGHmmtcnk3f+Sdke7PQIZOINdGizzHBLu7ItZSOa3Sfc66H+ayaARMf + dns.answers[0].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: lwfPP2a+njpmn5HtTNl2UxUqPVb2OrbM3m+7geFysKJMhoYiKpgLBsPYDQCvIi8 + dns.answers[1].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: kWqivft9P12bETWInP82wW7q3O0x4ReL1WmSnk8s7TLHQ+zvAolVB6YwlRvx2Qa + dns.answers[2].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: KA0Xqikt9TZsCuBmyPLdF3ZEgNoqqN6AYxl5TIXRNw + dns.answers[3].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: '' + dns.answers[4].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAARGHmmtcnk3f+Sdke7PQIZOINdGizzHBLu7ItZSOa3Sfc66H+ayaARMf + dns.grouped.TXT[1]: lwfPP2a+njpmn5HtTNl2UxUqPVb2OrbM3m+7geFysKJMhoYiKpgLBsPYDQCvIi8 + dns.grouped.TXT[2]: kWqivft9P12bETWInP82wW7q3O0x4ReL1WmSnk8s7TLHQ+zvAolVB6YwlRvx2Qa + dns.grouped.TXT[3]: KA0Xqikt9TZsCuBmyPLdF3ZEgNoqqN6AYxl5TIXRNw + dns.grouped.TXT[4]: '' + dns.id: 18507 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 54 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAASGOOTR9NjSUnRhPcUi8LCTvkQlmYrM+Hu9yoyMqR93pNxpgs5RzR4IH + dns.answers[0].rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: GhpafQg/GH9W0U7Tn3dh6CohobHwrADF2VneG2np10ectXoggJCAAAAAAAAAAAA + dns.answers[1].rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: AAMChUAAAAAAAAAAAAA + dns.answers[2].rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: '' + dns.answers[3].rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAASGOOTR9NjSUnRhPcUi8LCTvkQlmYrM+Hu9yoyMqR93pNxpgs5RzR4IH + dns.grouped.TXT[1]: GhpafQg/GH9W0U7Tn3dh6CohobHwrADF2VneG2np10ectXoggJCAAAAAAAAAAAA + dns.grouped.TXT[2]: AAMChUAAAAAAAAAAAAA + dns.grouped.TXT[3]: '' + dns.id: 3486 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 55 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 24710 + dns.queries[0].rrname: hvMADAAgBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 55 + dns.type: request + event_type: dns + pcap_cnt: 56 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 14096 + dns.queries[0].rrname: hvMADQAhCAAAAAwKFQAAAAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 56 + dns.type: request + event_type: dns + pcap_cnt: 57 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 6981 + dns.queries[0].rrname: hvMADgAiCA9HZU8tQch3tlBA02t6sZzFinsHVFjV9fsbIgJzGV6aC9IX8jmSF82.xjb4dW8dzrA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 57 + dns.type: request + event_type: dns + pcap_cnt: 58 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAATGNsETPiAXDCPSqttwQTxlKfcbeUws4sTuR3619TSQK3ER/ENcT1ZQP + dns.answers[0].rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: o8Dg1ffrmojA + dns.answers[1].rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: '' + dns.answers[2].rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAATGNsETPiAXDCPSqttwQTxlKfcbeUws4sTuR3619TSQK3ER/ENcT1ZQP + dns.grouped.TXT[1]: o8Dg1ffrmojA + dns.grouped.TXT[2]: '' + dns.id: 65517 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 59 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 613 + dns.queries[0].rrname: hvMADwAjCDvIMWnWlrLs3njbinEmXNQVYiJ1Hf0sRyNE7D/1NF1b8clSdB/dmtu.UbGQcz7UrbBHNGJWtlVUBLpj6DTggRC0.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 59 + dns.type: request + event_type: dns + pcap_cnt: 60 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAUGID6Ry6+OsQx+C0gWhSicpwJRsW6Not/u1nTWJIxQeVq3YzSkq09md + dns.answers[0].rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: MOlODQZFqtavW2gUalEEATOvGB1wJOvW8 + dns.answers[1].rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: '' + dns.answers[2].rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAUGID6Ry6+OsQx+C0gWhSicpwJRsW6Not/u1nTWJIxQeVq3YzSkq09md + dns.grouped.TXT[1]: MOlODQZFqtavW2gUalEEATOvGB1wJOvW8 + dns.grouped.TXT[2]: '' + dns.id: 23977 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 61 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAVEA + dns.answers[0].rrname: hvMAAAAVCGIAAAAAAAAAAAAAAAAAAAAAAAAAAAA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAAAVCGIAAAAAAAAAAAAAAAAAAAAAAAAAAAA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAVEA + dns.grouped.TXT[1]: '' + dns.id: 31995 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAAAVCGIAAAAAAAAAAAAAAAAAAAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 62 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAXEA + dns.answers[0].rrname: hvMAAwAXCAAAABQGIgAABAAAAAQAAAAgAAAAAAAAAA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAwAXCAAAABQGIgAABAAAAAQAAAAgAAAAAAAAAA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAXEA + dns.grouped.TXT[1]: '' + dns.id: 53836 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAwAXCAAAABQGIgAABAAAAAQAAAAgAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 63 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAWEA + dns.answers[0].rrname: hvMAAgAWBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAAgAWBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAWEA + dns.grouped.TXT[1]: '' + dns.id: 4289 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAAgAWBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 64 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAaEA + dns.answers[0].rrname: hvMABgAaBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMABgAaBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAaEA + dns.grouped.TXT[1]: '' + dns.id: 52985 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMABgAaBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 65 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAbEA + dns.answers[0].rrname: hvMABwAbBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMABwAbBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAbEA + dns.grouped.TXT[1]: '' + dns.id: 12894 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMABwAbBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 66 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAYEA + dns.answers[0].rrname: hvMABAAYBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMABAAYBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAYEA + dns.grouped.TXT[1]: '' + dns.id: 44271 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMABAAYBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 67 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAeEA + dns.answers[0].rrname: hvMACgAeBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMACgAeBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAeEA + dns.grouped.TXT[1]: '' + dns.id: 3337 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMACgAeBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 68 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAfEA + dns.answers[0].rrname: hvMACwAfCJpX6DB9O+5TQ+oIfbIAAAAAAAA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMACwAfCJpX6DB9O+5TQ+oIfbIAAAAAAAA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAfEA + dns.grouped.TXT[1]: '' + dns.id: 12496 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMACwAfCJpX6DB9O+5TQ+oIfbIAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 69 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAhEA + dns.answers[0].rrname: hvMADQAhCAAAAAwKFQAAAAAAAAAAAAA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMADQAhCAAAAAwKFQAAAAAAAAAAAAA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAhEA + dns.grouped.TXT[1]: '' + dns.id: 14096 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMADQAhCAAAAAwKFQAAAAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 70 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAiEA + dns.answers[0].rrname: hvMADgAiCA9HZU8tQch3tlBA02t6sZzFinsHVFjV9fsbIgJzGV6aC9IX8jmSF82.xjb4dW8dzrA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMADgAiCA9HZU8tQch3tlBA02t6sZzFinsHVFjV9fsbIgJzGV6aC9IX8jmSF82.xjb4dW8dzrA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAiEA + dns.grouped.TXT[1]: '' + dns.id: 6981 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMADgAiCA9HZU8tQch3tlBA02t6sZzFinsHVFjV9fsbIgJzGV6aC9IX8jmSF82.xjb4dW8dzrA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 71 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAgEA + dns.answers[0].rrname: hvMADAAgBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMADAAgBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAgEA + dns.grouped.TXT[1]: '' + dns.id: 24710 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMADAAgBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 72 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAZEA + dns.answers[0].rrname: hvMABQAZBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMABQAZBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAZEA + dns.grouped.TXT[1]: '' + dns.id: 3462 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMABQAZBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 73 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 21974 + dns.queries[0].rrname: hvMAEAAkBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 73 + dns.type: request + event_type: dns + pcap_cnt: 74 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAcEA + dns.answers[0].rrname: hvMACAAcBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMACAAcBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAcEA + dns.grouped.TXT[1]: '' + dns.id: 50286 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMACAAcBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 75 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAdEA + dns.answers[0].rrname: hvMACQAdCAAAAIwGIAAAAIAx3itE7XsxfNFkKSwpm/QL2R+3hW5GnOrZviY9/TR.O7d2QlxOeCwmGsxERu0+5DKpF6kwJroS1n8v8wLvqu3jSeOjVnYb7Fo3jRoLT3z.mxMiqSuKTuBNWXb5QoROHUYVRZIqMC+OtncdVw0LG0/FO/Kq8n.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMACQAdCAAAAIwGIAAAAIAx3itE7XsxfNFkKSwpm/QL2R+3hW5GnOrZviY9/TR.O7d2QlxOeCwmGsxERu0+5DKpF6kwJroS1n8v8wLvqu3jSeOjVnYb7Fo3jRoLT3z.mxMiqSuKTuBNWXb5QoROHUYVRZIqMC+OtncdVw0LG0/FO/Kq8n.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAdEA + dns.grouped.TXT[1]: '' + dns.id: 62058 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMACQAdCAAAAIwGIAAAAIAx3itE7XsxfNFkKSwpm/QL2R+3hW5GnOrZviY9/TR.O7d2QlxOeCwmGsxERu0+5DKpF6kwJroS1n8v8wLvqu3jSeOjVnYb7Fo3jRoLT3z.mxMiqSuKTuBNWXb5QoROHUYVRZIqMC+OtncdVw0LG0/FO/Kq8n.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 76 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 22814 + dns.queries[0].rrname: hvMAEQAlBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 76 + dns.type: request + event_type: dns + pcap_cnt: 77 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAjEA + dns.answers[0].rrname: hvMADwAjCDvIMWnWlrLs3njbinEmXNQVYiJ1Hf0sRyNE7D/1NF1b8clSdB/dmtu.UbGQcz7UrbBHNGJWtlVUBLpj6DTggRC0.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMADwAjCDvIMWnWlrLs3njbinEmXNQVYiJ1Hf0sRyNE7D/1NF1b8clSdB/dmtu.UbGQcz7UrbBHNGJWtlVUBLpj6DTggRC0.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAjEA + dns.grouped.TXT[1]: '' + dns.id: 613 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMADwAjCDvIMWnWlrLs3njbinEmXNQVYiJ1Hf0sRyNE7D/1NF1b8clSdB/dmtu.UbGQcz7UrbBHNGJWtlVUBLpj6DTggRC0.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 78 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 34425 + dns.queries[0].rrname: hvMAEgAmBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 78 + dns.type: request + event_type: dns + pcap_cnt: 79 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAkEA + dns.answers[0].rrname: hvMAEAAkBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAEAAkBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAkEA + dns.grouped.TXT[1]: '' + dns.id: 21974 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAEAAkBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 80 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAmEA + dns.answers[0].rrname: hvMAEgAmBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAEgAmBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAmEA + dns.grouped.TXT[1]: '' + dns.id: 34425 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAEgAmBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 81 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAlEA + dns.answers[0].rrname: hvMAEQAlBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAEQAlBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAlEA + dns.grouped.TXT[1]: '' + dns.id: 22814 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAEQAlBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 82 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 28769 + dns.queries[0].rrname: hvMAEwAnBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 82 + dns.type: request + event_type: dns + pcap_cnt: 83 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAnEA + dns.answers[0].rrname: hvMAEwAnBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAEwAnBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAnEA + dns.grouped.TXT[1]: '' + dns.id: 28769 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAEwAnBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 85 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 51221 + dns.queries[0].rrname: hvMAFAAoBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 84 + dns.type: request + event_type: dns + pcap_cnt: 86 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 15585 + dns.queries[0].rrname: hvMAFQApCOmk2dTdJciDeU1HxaGwOxqdUoJGVho6Jcrgg3EXVwhzTkpRmB3Xrlz.lp2FAtTgUIZC5aeEQm7x/NitPsl8n+xyl8BtH2fraIRJb3eGrIteLsXobanq4+P.pJZNPyaIW2oKX3+ZSx3BKNpSkJpD232RvTt1J7dNuhqFQgFcnd.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 85 + dns.type: request + event_type: dns + pcap_cnt: 88 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 61116 + dns.queries[0].rrname: hvMAFgAqBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 86 + dns.type: request + event_type: dns + pcap_cnt: 89 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 39265 + dns.queries[0].rrname: hvMAFwArCMfOP+frB4IA0L7UWQjJpzeyMOo.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 87 + dns.type: request + event_type: dns + pcap_cnt: 90 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 21179 + dns.queries[0].rrname: hvMAGAAsBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 88 + dns.type: request + event_type: dns + pcap_cnt: 91 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAoEA + dns.answers[0].rrname: hvMAFAAoBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAFAAoBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAoEA + dns.grouped.TXT[1]: '' + dns.id: 51221 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAFAAoBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 92 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAApEA + dns.answers[0].rrname: hvMAFQApCOmk2dTdJciDeU1HxaGwOxqdUoJGVho6Jcrgg3EXVwhzTkpRmB3Xrlz.lp2FAtTgUIZC5aeEQm7x/NitPsl8n+xyl8BtH2fraIRJb3eGrIteLsXobanq4+P.pJZNPyaIW2oKX3+ZSx3BKNpSkJpD232RvTt1J7dNuhqFQgFcnd.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAFQApCOmk2dTdJciDeU1HxaGwOxqdUoJGVho6Jcrgg3EXVwhzTkpRmB3Xrlz.lp2FAtTgUIZC5aeEQm7x/NitPsl8n+xyl8BtH2fraIRJb3eGrIteLsXobanq4+P.pJZNPyaIW2oKX3+ZSx3BKNpSkJpD232RvTt1J7dNuhqFQgFcnd.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAApEA + dns.grouped.TXT[1]: '' + dns.id: 15585 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAFQApCOmk2dTdJciDeU1HxaGwOxqdUoJGVho6Jcrgg3EXVwhzTkpRmB3Xrlz.lp2FAtTgUIZC5aeEQm7x/NitPsl8n+xyl8BtH2fraIRJb3eGrIteLsXobanq4+P.pJZNPyaIW2oKX3+ZSx3BKNpSkJpD232RvTt1J7dNuhqFQgFcnd.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 93 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAqEA + dns.answers[0].rrname: hvMAFgAqBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAFgAqBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAqEA + dns.grouped.TXT[1]: '' + dns.id: 61116 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAFgAqBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 94 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAArEA + dns.answers[0].rrname: hvMAFwArCMfOP+frB4IA0L7UWQjJpzeyMOo.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAFwArCMfOP+frB4IA0L7UWQjJpzeyMOo.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAArEA + dns.grouped.TXT[1]: '' + dns.id: 39265 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAFwArCMfOP+frB4IA0L7UWQjJpzeyMOo.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 95 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAsEA + dns.answers[0].rrname: hvMAGAAsBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAGAAsBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAsEA + dns.grouped.TXT[1]: '' + dns.id: 21179 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAGAAsBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 96 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 54669 + dns.queries[0].rrname: hvMAGQAtBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 94 + dns.type: request + event_type: dns + pcap_cnt: 97 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAtGNEqCE4KP20kGH0Clf+C26xKJFc1tpe2553spzE6/gT1 + dns.answers[0].rrname: hvMAGQAtBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAGQAtBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAtGNEqCE4KP20kGH0Clf+C26xKJFc1tpe2553spzE6/gT1 + dns.grouped.TXT[1]: '' + dns.id: 54669 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAGQAtBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 98 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 14161 + dns.queries[0].rrname: hvMAGgAuBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 96 + dns.type: request + event_type: dns + pcap_cnt: 99 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 8495 + dns.queries[0].rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 97 + dns.type: request + event_type: dns + pcap_cnt: 100 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 27970 + dns.queries[0].rrname: hvMAHAAwBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 98 + dns.type: request + event_type: dns + pcap_cnt: 101 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 5825 + dns.queries[0].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 99 + dns.type: request + event_type: dns + pcap_cnt: 102 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 5562 + dns.queries[0].rrname: hvMAHgAyBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 100 + dns.type: request + event_type: dns + pcap_cnt: 103 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAuGFbHXVzzlvr34msuFy05F6bRUXIcwwA8xil02gNhXcy5QxKpCfwU7t + dns.answers[0].rrname: hvMAGgAuBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: /iYglUmOhLMw + dns.answers[1].rrname: hvMAGgAuBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: '' + dns.answers[2].rrname: hvMAGgAuBA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAuGFbHXVzzlvr34msuFy05F6bRUXIcwwA8xil02gNhXcy5QxKpCfwU7t + dns.grouped.TXT[1]: /iYglUmOhLMw + dns.grouped.TXT[2]: '' + dns.id: 14161 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAGgAuBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 104 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 53290 + dns.queries[0].rrname: hvMAHwAzBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 102 + dns.type: request + event_type: dns + pcap_cnt: 105 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 37620 + dns.queries[0].rrname: hvMAIAA0CIUaLlwuNSK5phv3q0D7jN6FjRu9RhxF2jLcd4ePd/Ssv/fMHo1x7lZ.IJnb9FnEAoCBZUQqizMnd8d+FTgkJK7USPgmxOyR63Yy6sNxUuGdIvZ2Kd8OWaG.qrHQleDgvLDVxhdkeZ4jOUkbqywhagjgn+6LosU/HVT0V2Oql1.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 103 + dns.type: request + event_type: dns + pcap_cnt: 106 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 11415 + dns.queries[0].rrname: hvMAIQA1BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 104 + dns.type: request + event_type: dns + pcap_cnt: 107 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 41507 + dns.queries[0].rrname: hvMAIgA2CCeD1WxPA+m6eHkF1n4qobRCBC/O73OvopuCyJypzQ25p3ZMZeGznpo.Ugpn1L9G8f6H8rrjflBw9YW6C5VxOgiByMyvi1C8xpbuu19dr/b78i9BWGXlzHB.dai5EtV2d2YHxl6AjuP7vZNbkgVL99AScD38jT145YVJuQ2v2j.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 105 + dns.type: request + event_type: dns + pcap_cnt: 108 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 58854 + dns.queries[0].rrname: hvMAIwA3BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 106 + dns.type: request + event_type: dns + pcap_cnt: 109 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 30729 + dns.queries[0].rrname: hvMAJAA4CIA3u9zI4HdwAkw2T+n7SYuJHT590+/Y/WkV2jlx6OOhrYYBrH+fF/x.LeqpHbkkYohzQd/aIDDnUnhr+xtyHzrK4Chm5Q9UJmpATyFkU2wWdLs6S3sTeji.sy9fNH+znOgkge5l3POd3slPeZcbLITaDsTaHWEnrwDLMIQ9lw.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 107 + dns.type: request + event_type: dns + pcap_cnt: 110 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 23354 + dns.queries[0].rrname: hvMAJQA5BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 108 + dns.type: request + event_type: dns + pcap_cnt: 111 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 13941 + dns.queries[0].rrname: hvMAJgA6CNgjb+jJ6jrjge2Jq6S6yufEuid5p1tRS8WmR2IHxwpt6vjhkRJFI8o.9XnSTflh5C6a068gKqhfPSR4M2a/Fo0+L4l+m5yIvRoc.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 109 + dns.type: request + event_type: dns + pcap_cnt: 112 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 27613 + dns.queries[0].rrname: hvMAJwA7BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 110 + dns.type: request + event_type: dns + pcap_cnt: 113 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAvGK4Pd1EjONdQFOqx0Q1qpvfSn2lYEI7DYZltX8uuYTGkCVNl04z+Bx + dns.answers[0].rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: dCzXb0uKbi46BNPJRhy4jDbj+uhQDz7my/DyvByZZPtI5m20YVlnuI2Vgzwrddr + dns.answers[1].rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: EH8zhucGI2q+h+QOT5djW72GlDmDRkI0OU + dns.answers[2].rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: '' + dns.answers[3].rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAvGK4Pd1EjONdQFOqx0Q1qpvfSn2lYEI7DYZltX8uuYTGkCVNl04z+Bx + dns.grouped.TXT[1]: dCzXb0uKbi46BNPJRhy4jDbj+uhQDz7my/DyvByZZPtI5m20YVlnuI2Vgzwrddr + dns.grouped.TXT[2]: EH8zhucGI2q+h+QOT5djW72GlDmDRkI0OU + dns.grouped.TXT[3]: '' + dns.id: 8495 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 114 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 22948 + dns.queries[0].rrname: hvMAKAA8BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 112 + dns.type: request + event_type: dns + pcap_cnt: 115 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAwGObgemu5HuKM+ERWwdANnQBVfFsBeFOJ5lnCfusRXljFGecnHD7b1j + dns.answers[0].rrname: hvMAHAAwBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: cgs4/sD8aoqjvYvJib/Ci75iySlpVeHaVa7lWk7KDxqQ81ehkS9ubJYXdTfSLVG + dns.answers[1].rrname: hvMAHAAwBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: yUmn1V13aACh8zEj7ClLhYPQ4Xzdpjv8cz9/VJg6TenDo33UmpjAvmu3JR8lwNv + dns.answers[2].rrname: hvMAHAAwBA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: t08lmlewRJ6j8xxCmx5d5sPIWQJwWuobCvq3e3uHlo0+MVoPgXA7G+uZKJgdbmX + dns.answers[3].rrname: hvMAHAAwBA.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: 2F1ttdSDixAeEyuZZ2vHzTRLJCbadJc9dKoWe92gRQuMoZuhUXaTs5kXyJB0mzm + dns.answers[4].rrname: hvMAHAAwBA.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.answers[5].rdata: Fo4Z/eSNyFh83hqtTTSCBKztv+vq1KHq/WmBWOE8J8SjS4r/5rYnEKWzc5nkjyR + dns.answers[5].rrname: hvMAHAAwBA.srv.tunnel.com + dns.answers[5].rrtype: TXT + dns.answers[5].ttl: 3 + dns.answers[6].rdata: OrIFLJ3ClaGhi4nPag + dns.answers[6].rrname: hvMAHAAwBA.srv.tunnel.com + dns.answers[6].rrtype: TXT + dns.answers[6].ttl: 3 + dns.answers[7].rdata: '' + dns.answers[7].rrname: hvMAHAAwBA.srv.tunnel.com + dns.answers[7].rrtype: TXT + dns.answers[7].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAwGObgemu5HuKM+ERWwdANnQBVfFsBeFOJ5lnCfusRXljFGecnHD7b1j + dns.grouped.TXT[1]: cgs4/sD8aoqjvYvJib/Ci75iySlpVeHaVa7lWk7KDxqQ81ehkS9ubJYXdTfSLVG + dns.grouped.TXT[2]: yUmn1V13aACh8zEj7ClLhYPQ4Xzdpjv8cz9/VJg6TenDo33UmpjAvmu3JR8lwNv + dns.grouped.TXT[3]: t08lmlewRJ6j8xxCmx5d5sPIWQJwWuobCvq3e3uHlo0+MVoPgXA7G+uZKJgdbmX + dns.grouped.TXT[4]: 2F1ttdSDixAeEyuZZ2vHzTRLJCbadJc9dKoWe92gRQuMoZuhUXaTs5kXyJB0mzm + dns.grouped.TXT[5]: Fo4Z/eSNyFh83hqtTTSCBKztv+vq1KHq/WmBWOE8J8SjS4r/5rYnEKWzc5nkjyR + dns.grouped.TXT[6]: OrIFLJ3ClaGhi4nPag + dns.grouped.TXT[7]: '' + dns.id: 27970 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAHAAwBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 116 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAxGOJC4G7AI5IRq8VFCBirtrwtfAdGD2M1KW4j9XQe6O+B6oUgWqHGXY + dns.answers[0].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: qpIOIAKb4SEcLfZpCwjSPmQVECw+MTsOEDbNXLDZpcs2ytFuBaAnkm2sVS7QSx5 + dns.answers[1].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: 7G5b0T5whTCQVdFt/nRfHxvWneXCPxG9DVTyQi28AC7Va1xtITy9X/bp2lnEhXx + dns.answers[2].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.answers[3].rdata: uNeMj1M0Le0BUk8o+JrSir25e5n9JmAneaotE1HgwHG8ipfTIhcZOi8 + dns.answers[3].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.answers[3].rrtype: TXT + dns.answers[3].ttl: 3 + dns.answers[4].rdata: '' + dns.answers[4].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.answers[4].rrtype: TXT + dns.answers[4].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAxGOJC4G7AI5IRq8VFCBirtrwtfAdGD2M1KW4j9XQe6O+B6oUgWqHGXY + dns.grouped.TXT[1]: qpIOIAKb4SEcLfZpCwjSPmQVECw+MTsOEDbNXLDZpcs2ytFuBaAnkm2sVS7QSx5 + dns.grouped.TXT[2]: 7G5b0T5whTCQVdFt/nRfHxvWneXCPxG9DVTyQi28AC7Va1xtITy9X/bp2lnEhXx + dns.grouped.TXT[3]: uNeMj1M0Le0BUk8o+JrSir25e5n9JmAneaotE1HgwHG8ipfTIhcZOi8 + dns.grouped.TXT[4]: '' + dns.id: 5825 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 117 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 62607 + dns.queries[0].rrname: hvMAKQA9BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 115 + dns.type: request + event_type: dns + pcap_cnt: 118 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAyGOaJz8MoysNCf8COwS29ZF3s2AqPMfigTqkImNZJUam+WEKERcm6w3 + dns.answers[0].rrname: hvMAHgAyBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: vQmaQHCkAcQo4K/SI7AeHn7K9xR4euPlE + dns.answers[1].rrname: hvMAHgAyBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.answers[2].rdata: '' + dns.answers[2].rrname: hvMAHgAyBA.srv.tunnel.com + dns.answers[2].rrtype: TXT + dns.answers[2].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAyGOaJz8MoysNCf8COwS29ZF3s2AqPMfigTqkImNZJUam+WEKERcm6w3 + dns.grouped.TXT[1]: vQmaQHCkAcQo4K/SI7AeHn7K9xR4euPlE + dns.grouped.TXT[2]: '' + dns.id: 5562 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAHgAyBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 119 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 5125 + dns.queries[0].rrname: hvMAKgA+BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 117 + dns.type: request + event_type: dns + pcap_cnt: 120 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA8EA + dns.answers[0].rrname: hvMAKAA8BA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAKAA8BA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA8EA + dns.grouped.TXT[1]: '' + dns.id: 22948 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAKAA8BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 122 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAAzEA + dns.answers[0].rrname: hvMAHwAzBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAHwAzBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAAzEA + dns.grouped.TXT[1]: '' + dns.id: 53290 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAHwAzBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 123 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA0EA + dns.answers[0].rrname: hvMAIAA0CIUaLlwuNSK5phv3q0D7jN6FjRu9RhxF2jLcd4ePd/Ssv/fMHo1x7lZ.IJnb9FnEAoCBZUQqizMnd8d+FTgkJK7USPgmxOyR63Yy6sNxUuGdIvZ2Kd8OWaG.qrHQleDgvLDVxhdkeZ4jOUkbqywhagjgn+6LosU/HVT0V2Oql1.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAIAA0CIUaLlwuNSK5phv3q0D7jN6FjRu9RhxF2jLcd4ePd/Ssv/fMHo1x7lZ.IJnb9FnEAoCBZUQqizMnd8d+FTgkJK7USPgmxOyR63Yy6sNxUuGdIvZ2Kd8OWaG.qrHQleDgvLDVxhdkeZ4jOUkbqywhagjgn+6LosU/HVT0V2Oql1.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA0EA + dns.grouped.TXT[1]: '' + dns.id: 37620 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAIAA0CIUaLlwuNSK5phv3q0D7jN6FjRu9RhxF2jLcd4ePd/Ssv/fMHo1x7lZ.IJnb9FnEAoCBZUQqizMnd8d+FTgkJK7USPgmxOyR63Yy6sNxUuGdIvZ2Kd8OWaG.qrHQleDgvLDVxhdkeZ4jOUkbqywhagjgn+6LosU/HVT0V2Oql1.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 124 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA1EA + dns.answers[0].rrname: hvMAIQA1BA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAIQA1BA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA1EA + dns.grouped.TXT[1]: '' + dns.id: 11415 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAIQA1BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 125 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA9EA + dns.answers[0].rrname: hvMAKQA9BA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAKQA9BA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA9EA + dns.grouped.TXT[1]: '' + dns.id: 62607 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAKQA9BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 126 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 64110 + dns.queries[0].rrname: hvMAKwA/BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 123 + dns.type: request + event_type: dns + pcap_cnt: 127 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA2EA + dns.answers[0].rrname: hvMAIgA2CCeD1WxPA+m6eHkF1n4qobRCBC/O73OvopuCyJypzQ25p3ZMZeGznpo.Ugpn1L9G8f6H8rrjflBw9YW6C5VxOgiByMyvi1C8xpbuu19dr/b78i9BWGXlzHB.dai5EtV2d2YHxl6AjuP7vZNbkgVL99AScD38jT145YVJuQ2v2j.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAIgA2CCeD1WxPA+m6eHkF1n4qobRCBC/O73OvopuCyJypzQ25p3ZMZeGznpo.Ugpn1L9G8f6H8rrjflBw9YW6C5VxOgiByMyvi1C8xpbuu19dr/b78i9BWGXlzHB.dai5EtV2d2YHxl6AjuP7vZNbkgVL99AScD38jT145YVJuQ2v2j.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA2EA + dns.grouped.TXT[1]: '' + dns.id: 41507 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAIgA2CCeD1WxPA+m6eHkF1n4qobRCBC/O73OvopuCyJypzQ25p3ZMZeGznpo.Ugpn1L9G8f6H8rrjflBw9YW6C5VxOgiByMyvi1C8xpbuu19dr/b78i9BWGXlzHB.dai5EtV2d2YHxl6AjuP7vZNbkgVL99AScD38jT145YVJuQ2v2j.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 128 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA3EA + dns.answers[0].rrname: hvMAIwA3BA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAIwA3BA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA3EA + dns.grouped.TXT[1]: '' + dns.id: 58854 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAIwA3BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 129 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA4EA + dns.answers[0].rrname: hvMAJAA4CIA3u9zI4HdwAkw2T+n7SYuJHT590+/Y/WkV2jlx6OOhrYYBrH+fF/x.LeqpHbkkYohzQd/aIDDnUnhr+xtyHzrK4Chm5Q9UJmpATyFkU2wWdLs6S3sTeji.sy9fNH+znOgkge5l3POd3slPeZcbLITaDsTaHWEnrwDLMIQ9lw.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAJAA4CIA3u9zI4HdwAkw2T+n7SYuJHT590+/Y/WkV2jlx6OOhrYYBrH+fF/x.LeqpHbkkYohzQd/aIDDnUnhr+xtyHzrK4Chm5Q9UJmpATyFkU2wWdLs6S3sTeji.sy9fNH+znOgkge5l3POd3slPeZcbLITaDsTaHWEnrwDLMIQ9lw.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA4EA + dns.grouped.TXT[1]: '' + dns.id: 30729 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAJAA4CIA3u9zI4HdwAkw2T+n7SYuJHT590+/Y/WkV2jlx6OOhrYYBrH+fF/x.LeqpHbkkYohzQd/aIDDnUnhr+xtyHzrK4Chm5Q9UJmpATyFkU2wWdLs6S3sTeji.sy9fNH+znOgkge5l3POd3slPeZcbLITaDsTaHWEnrwDLMIQ9lw.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 130 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA5EA + dns.answers[0].rrname: hvMAJQA5BA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAJQA5BA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA5EA + dns.grouped.TXT[1]: '' + dns.id: 23354 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAJQA5BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 131 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA6EA + dns.answers[0].rrname: hvMAJgA6CNgjb+jJ6jrjge2Jq6S6yufEuid5p1tRS8WmR2IHxwpt6vjhkRJFI8o.9XnSTflh5C6a068gKqhfPSR4M2a/Fo0+L4l+m5yIvRoc.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAJgA6CNgjb+jJ6jrjge2Jq6S6yufEuid5p1tRS8WmR2IHxwpt6vjhkRJFI8o.9XnSTflh5C6a068gKqhfPSR4M2a/Fo0+L4l+m5yIvRoc.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA6EA + dns.grouped.TXT[1]: '' + dns.id: 13941 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAJgA6CNgjb+jJ6jrjge2Jq6S6yufEuid5p1tRS8WmR2IHxwpt6vjhkRJFI8o.9XnSTflh5C6a068gKqhfPSR4M2a/Fo0+L4l+m5yIvRoc.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 132 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 15010 + dns.queries[0].rrname: hvMALABABA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 129 + dns.type: request + event_type: dns + pcap_cnt: 133 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA7EA + dns.answers[0].rrname: hvMAJwA7BA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAJwA7BA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA7EA + dns.grouped.TXT[1]: '' + dns.id: 27613 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAJwA7BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 134 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 824 + dns.queries[0].rrname: hvMALQBBBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 131 + dns.type: request + event_type: dns + pcap_cnt: 135 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA/EA + dns.answers[0].rrname: hvMAKwA/BA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAKwA/BA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA/EA + dns.grouped.TXT[1]: '' + dns.id: 64110 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAKwA/BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 136 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABAEA + dns.answers[0].rrname: hvMALABABA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMALABABA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABAEA + dns.grouped.TXT[1]: '' + dns.id: 15010 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMALABABA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 137 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAAA+EA + dns.answers[0].rrname: hvMAKgA+BA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAKgA+BA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAAA+EA + dns.grouped.TXT[1]: '' + dns.id: 5125 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAKgA+BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 138 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABBEA + dns.answers[0].rrname: hvMALQBBBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMALQBBBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABBEA + dns.grouped.TXT[1]: '' + dns.id: 824 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMALQBBBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 139 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 30595 + dns.queries[0].rrname: hvMALgBCBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 136 + dns.type: request + event_type: dns + pcap_cnt: 140 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABCEA + dns.answers[0].rrname: hvMALgBCBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMALgBCBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABCEA + dns.grouped.TXT[1]: '' + dns.id: 30595 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMALgBCBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 141 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 59164 + dns.queries[0].rrname: hvMALwBDBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 138 + dns.type: request + event_type: dns + pcap_cnt: 142 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABDEA + dns.answers[0].rrname: hvMALwBDBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMALwBDBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABDEA + dns.grouped.TXT[1]: '' + dns.id: 59164 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMALwBDBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 143 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 11618 + dns.queries[0].rrname: hvMAMABEBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 140 + dns.type: request + event_type: dns + pcap_cnt: 144 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABEEA + dns.answers[0].rrname: hvMAMABEBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAMABEBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABEEA + dns.grouped.TXT[1]: '' + dns.id: 11618 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAMABEBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 145 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 8037 + dns.queries[0].rrname: hvMAMQBFBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 142 + dns.type: request + event_type: dns + pcap_cnt: 146 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABFEA + dns.answers[0].rrname: hvMAMQBFBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAMQBFBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABFEA + dns.grouped.TXT[1]: '' + dns.id: 8037 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAMQBFBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 147 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 3379 + dns.queries[0].rrname: hvMAMgBGBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 144 + dns.type: request + event_type: dns + pcap_cnt: 148 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABGEA + dns.answers[0].rrname: hvMAMgBGBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAMgBGBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABGEA + dns.grouped.TXT[1]: '' + dns.id: 3379 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAMgBGBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 149 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 40311 + dns.queries[0].rrname: hvMAMwBHBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 146 + dns.type: request + event_type: dns + pcap_cnt: 150 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABHEA + dns.answers[0].rrname: hvMAMwBHBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAMwBHBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABHEA + dns.grouped.TXT[1]: '' + dns.id: 40311 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAMwBHBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 151 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 8006 + dns.queries[0].rrname: hvMANABIBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 148 + dns.type: request + event_type: dns + pcap_cnt: 152 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABIEA + dns.answers[0].rrname: hvMANABIBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMANABIBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABIEA + dns.grouped.TXT[1]: '' + dns.id: 8006 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMANABIBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 153 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 32072 + dns.queries[0].rrname: hvMANQBJBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 150 + dns.type: request + event_type: dns + pcap_cnt: 154 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABJEA + dns.answers[0].rrname: hvMANQBJBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMANQBJBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABJEA + dns.grouped.TXT[1]: '' + dns.id: 32072 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMANQBJBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 155 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 14229 + dns.queries[0].rrname: hvMANgBKBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 152 + dns.type: request + event_type: dns + pcap_cnt: 156 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABKEA + dns.answers[0].rrname: hvMANgBKBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMANgBKBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABKEA + dns.grouped.TXT[1]: '' + dns.id: 14229 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMANgBKBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 157 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 17107 + dns.queries[0].rrname: hvMANwBLBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 154 + dns.type: request + event_type: dns + pcap_cnt: 158 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABLEA + dns.answers[0].rrname: hvMANwBLBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMANwBLBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABLEA + dns.grouped.TXT[1]: '' + dns.id: 17107 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMANwBLBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 159 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 38783 + dns.queries[0].rrname: hvMAOABMBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 156 + dns.type: request + event_type: dns + pcap_cnt: 160 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABMEA + dns.answers[0].rrname: hvMAOABMBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAOABMBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABMEA + dns.grouped.TXT[1]: '' + dns.id: 38783 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAOABMBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 161 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 64639 + dns.queries[0].rrname: hvMAOQBNBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 158 + dns.type: request + event_type: dns + pcap_cnt: 162 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.answers[0].rdata: AhvMAAABNEA + dns.answers[0].rrname: hvMAOQBNBA.srv.tunnel.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3 + dns.answers[1].rdata: '' + dns.answers[1].rrname: hvMAOQBNBA.srv.tunnel.com + dns.answers[1].rrtype: TXT + dns.answers[1].ttl: 3 + dns.authorities[0].rdata: iodine.tunnel.com + dns.authorities[0].rrname: srv.tunnel.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 604800 + dns.flags: '8180' + dns.grouped.TXT[0]: AhvMAAABNEA + dns.grouped.TXT[1]: '' + dns.id: 64639 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: hvMAOQBNBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 163 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + dest_ip: 10.30.28.94 + dest_port: 53 + dns.id: 41923 + dns.queries[0].rrname: hvMAOgBOBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.tx_id: 160 + dns.type: request + event_type: dns + pcap_cnt: 164 + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + app_proto: dns + dest_ip: 10.30.28.94 + dest_port: 53 + event_type: flow + flow.age: 9 + flow.alerted: false + flow.bytes_toclient: 18389 + flow.bytes_toserver: 10078 + flow.pkts_toclient: 80 + flow.pkts_toserver: 81 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 10.30.28.90 + src_port: 43246 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 10.30.28.255 + dest_port: 137 + event_type: flow + flow.age: 2 + flow.alerted: false + flow.bytes_toclient: 0 + flow.bytes_toserver: 276 + flow.pkts_toclient: 0 + flow.pkts_toserver: 3 + flow.reason: shutdown + flow.state: new + proto: UDP + src_ip: 10.30.28.85 + src_port: 137 diff --git a/tests/bug-1158/test.yaml b/tests/dns/v2/bug-1158/test.yaml similarity index 99% rename from tests/bug-1158/test.yaml rename to tests/dns/v2/bug-1158/test.yaml index 04b87a23a..5a45c07b6 100644 --- a/tests/bug-1158/test.yaml +++ b/tests/dns/v2/bug-1158/test.yaml @@ -4,6 +4,11 @@ requires: args: - -k none +pcap: ../../bug-1158/input.pcap + +env: + SURICATA_EVE_DNS_VERSION: 2 + checks: - filter: count: 1