Bug #2001: Handling of unsolicited DNS responses. - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2001

closed

Handling of unsolicited DNS responses.

Added by Jason Ish almost 8 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

3.2.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

When a DNS response is received that has a different ID there are 2 issues:
- An unsolicited DNS response event is not raised.
- The legitimate response, received after the unsolicted response is not logged.

The first issue is the unsolicted response caused a new transaction to be created without incrementing the transaction ID first, which meant we had 2 transactions with the same ID causing the event to not be recorded correctly.

The second issue is due to transactions which are not complete not being fully logged if a more recent transaction has been fully logged - other protocols that can have overlapping transactions such as DNP3 can also run into this issue.

Actions

Copy link

Updated by Jason Ish almost 8 years ago

Status changed from Assigned to Closed
Target version changed from 70 to 3.2.1

Fix merged, see: https://github.com/inliniac/suricata/pull/2493 and https://github.com/inliniac/suricata/pull/2486.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2001

Handling of unsolicited DNS responses.

Updated by Jason Ish almost 8 years ago