Project

General

Profile

Actions

Bug #1858

closed

Lots of TCP 'duplicated option/DNS malformed request data' after upgrading from 3.0.1 to 3.1.1

Added by . . over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Running:
CentOS 7.2.1511 (Core)
Suricata 3.1.1 RELEASE w/ libpcap

After upgrading from 3.0.1 to 3.1.1 i am seeing tons of "TCP duplicated option" and "DNS malformed request data" events which is creating a log of noise on my dashboard.

I noticed suricata.yaml received an overhaul, i already migrated my old config to the (rpm)new one (in case some defaults had been changed) but to no avail.

What am i missing here, except disabling the rules/adding a threshold, to get rid of this?

Actions #1

Updated by Andreas Herz over 8 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

How do you run suricata?
And can you try to reproduce it with a pcap?

Actions #2

Updated by Victor Julien over 8 years ago

  • Status changed from New to Assigned
  • Assignee changed from Anonymous to Victor Julien
  • Priority changed from Normal to High
  • Target version changed from TBD to 3.1.2

I can confirm the TCP issue. Will work on a fix. Haven't investigated the DNS one yet.

Actions #3

Updated by . . over 8 years ago

Sorry for being late!

Andreas Herz wrote:

How do you run Suricata?

Nothing fancy really, the installation is acting as a router (iptables w/ nat & ip_forward) for a "small" private network.

Suricata installed from epel, running on the local facing interface:

pcap:
  - interface: eth1

with SG/GRO/LRO/TSO/GSO disabled:
ethtool -K eth1 sg off gro off lro off tso off gso off

since Suricata logged a warning suggesting this after upgrading from 3.0.1 - it was just
ethtool -K eth1 rx off tx off gro off

pre 3.1.1

I am also running unbound as a reverse DNS proxy for the local network on this box, binding to eth1.

The alerts logged are:

{"timestamp":"2016-08-16T18:58:55.285853+0200","flow_id":4250627771,"in_iface":"eth1","event_type":"alert","src_ip":"x.x.x.x","src_port":53,"dest_ip":"x.x.x.x","dest_port":42924,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2240002,"rev":1,"signature":"SURICATA DNS malformed request data","category":"","severity":3}}

over and over again.

dest_ip is pretty much every active client on the network including Desktops, Smartphones and Tablets ranging from Windows over Linux/Android to OSX/iOS

The src_ip is listed under DNS_SERVERS in

vars:
  address-groups:

For the time being i disabled the two noisy messages

suppress gen_id 1, sig_id 2240002
suppress gen_id 1, sig_id 2200037

to stop it from spamming my dashboard.

Actions #4

Updated by . . over 8 years ago

Victor Julien wrote:

I can confirm the TCP issue. Will work on a fix. Haven't investigated the DNS one yet.

Update on the DNS issue since i had some spare time.

It does look like rDNS requests (e.g. nslookup 10.0.0.1) are triggering the alerts.
I am able to reproduce this reliable from any random client on the network.

Dunno why Suricata thinks this is "malformed request data" especially since nsd (running behind unbound) has a reverse lookup zone (in-addr.arpa) configured and is responding to all rDNS requests with the expected answer.

Actions #5

Updated by Victor Julien over 8 years ago

Can you share a small pcap of the DNS traffic triggering the rule?

Actions #6

Updated by Victor Julien over 8 years ago

  • Tracker changed from Support to Bug

This should fix the TCP opt issue and also addresses a DNS parsing issue: https://github.com/inliniac/suricata/pull/2189

Actions #7

Updated by Victor Julien over 8 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF