Bug #1858
closedLots of TCP 'duplicated option/DNS malformed request data' after upgrading from 3.0.1 to 3.1.1
Description
Running:
CentOS 7.2.1511 (Core)
Suricata 3.1.1 RELEASE w/ libpcap
After upgrading from 3.0.1 to 3.1.1 i am seeing tons of "TCP duplicated option" and "DNS malformed request data" events which is creating a log of noise on my dashboard.
I noticed suricata.yaml received an overhaul, i already migrated my old config to the (rpm)new one (in case some defaults had been changed) but to no avail.
What am i missing here, except disabling the rules/adding a threshold, to get rid of this?
Updated by Andreas Herz over 8 years ago
- Assignee set to Anonymous
- Target version set to TBD
How do you run suricata?
And can you try to reproduce it with a pcap?
Updated by Victor Julien over 8 years ago
- Status changed from New to Assigned
- Assignee changed from Anonymous to Victor Julien
- Priority changed from Normal to High
- Target version changed from TBD to 3.1.2
I can confirm the TCP issue. Will work on a fix. Haven't investigated the DNS one yet.
Updated by . . over 8 years ago
Sorry for being late!
Andreas Herz wrote:
How do you run Suricata?
Nothing fancy really, the installation is acting as a router (iptables w/ nat & ip_forward) for a "small" private network.
Suricata installed from epel, running on the local facing interface:
pcap: - interface: eth1
with SG/GRO/LRO/TSO/GSO disabled:
ethtool -K eth1 sg off gro off lro off tso off gso off
since Suricata logged a warning suggesting this after upgrading from 3.0.1 - it was just
ethtool -K eth1 rx off tx off gro off
pre 3.1.1
I am also running unbound as a reverse DNS proxy for the local network on this box, binding to eth1.
The alerts logged are:
{"timestamp":"2016-08-16T18:58:55.285853+0200","flow_id":4250627771,"in_iface":"eth1","event_type":"alert","src_ip":"x.x.x.x","src_port":53,"dest_ip":"x.x.x.x","dest_port":42924,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2240002,"rev":1,"signature":"SURICATA DNS malformed request data","category":"","severity":3}}
over and over again.
dest_ip is pretty much every active client on the network including Desktops, Smartphones and Tablets ranging from Windows over Linux/Android to OSX/iOS
The src_ip is listed under DNS_SERVERS in
vars: address-groups:
For the time being i disabled the two noisy messages
suppress gen_id 1, sig_id 2240002 suppress gen_id 1, sig_id 2200037
to stop it from spamming my dashboard.
Updated by . . over 8 years ago
Victor Julien wrote:
I can confirm the TCP issue. Will work on a fix. Haven't investigated the DNS one yet.
Update on the DNS issue since i had some spare time.
It does look like rDNS requests (e.g. nslookup 10.0.0.1) are triggering the alerts.
I am able to reproduce this reliable from any random client on the network.
Dunno why Suricata thinks this is "malformed request data" especially since nsd (running behind unbound) has a reverse lookup zone (in-addr.arpa) configured and is responding to all rDNS requests with the expected answer.
Updated by Victor Julien over 8 years ago
Can you share a small pcap of the DNS traffic triggering the rule?
Updated by Victor Julien over 8 years ago
- Tracker changed from Support to Bug
This should fix the TCP opt issue and also addresses a DNS parsing issue: https://github.com/inliniac/suricata/pull/2189
Updated by Victor Julien over 8 years ago
- Status changed from Assigned to Closed