Project

General

Profile

Actions

Bug #1424

closed

DNS EVE-log produces answers with incorrect direction

Added by Antti Tönkyrä almost 10 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

EVE-Log sometimes produces DNS answers with incorrect direction (the server appears to be the dest when it should actually be the source).

Reproduced using

while [ 1 ]; do host pingtimeout.net ns1.pingtimeout.net; sleep 0.1; done

I have also attached pcap that replicates the issue on my local git head suricata. Below is an example of the wrong output.

{
    "alerts": [],
    "data": {
        "dest_ip": "81.90.68.112",
        "dest_port": 53,
        "dns": {
            "id": 31443,
            "rdata": "81.90.68.114",
            "rrname": "pingtimeout.net",
            "rrtype": "A",
            "ttl": 3600,
            "type": "answer" 
        },
        "event_type": "dns",
        "flow_id": 37465680,
        "pcap_cnt": 49,
        "proto": "UDP",
        "src_ip": "10.100.0.20",
        "src_port": 47589,
        "timestamp": "2015-03-19T17:05:17.163591" 
    },
    "source": "suricata",
    "tags": []
}
{
    "alerts": [],
    "data": {
        "dest_ip": "81.90.68.112",
        "dest_port": 53,
        "dns": {
            "id": 52955,
            "rdata": "81.90.68.114",
            "rrname": "pingtimeout.net",
            "rrtype": "A",
            "ttl": 3600,
            "type": "answer" 
        },
        "event_type": "dns",
        "flow_id": 37467504,
        "pcap_cnt": 61,
        "proto": "UDP",
        "src_ip": "10.100.0.20",
        "src_port": 53278,
        "timestamp": "2015-03-19T17:05:17.454712" 
    },
    "source": "suricata",
    "tags": []
}

Files

suritest.pcap (9.15 KB) suritest.pcap Antti Tönkyrä, 03/19/2015 12:13 PM
Actions

Also available in: Atom PDF