Project

General

Profile

Actions

Bug #2146

closed

DNS answer not logged with eve-log

Added by Fanny Dwargee over 7 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tested on Suricata version: 4.0.0-beta1 RELEASE

The following DNS answer is not logged to the eve-log file although the dns event type is enabled for queries and answers:

Frame Number = 71
IPSrc        = 192.168.61.2
PortSrc      = 53
IPDst        = 192.168.1.14
PortDst      = 61884
Protocol     = UDP
DNS Info     = Standard query response 0x57c0 A a6281279.yolox.net A 91.223.216.67 NS ns11.ayola.net NS ns10.ayola.net

Related suricata.yaml sections follows:

    HOME_NET: "[192.168.1.0/24]" 
    DNS_SERVERS: "$HOME_NET" 

  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert:
            http: yes
            tls:  yes
            ssh:  no
            smtp: no
            dnp3: no
            vars: no
            tagged-packets: yes
            xff:
              enabled: no
      - dns:
            query: yes
            answer: yes
      - tls:
      - files:
            force-magic: yes
            force-hash: [sha1]
      - flow

The following eve.json line is the only reference to the UDP port 61884 and as you can see is of type "flow":

{"timestamp":"2016-05-09T15:15:58.067889+0200","flow_id":1602128252140595,"event_type":"flow","src_ip":"192.168.61.2","src_port":53,"dest_ip":"192.168.1.14","dest_port":61884,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":138,"bytes_toclient":0,"start":"2016-05-09T15:15:06.818227+0200","end":"2016-05-09T15:15:06.818227+0200","age":0,"state":"new","reason":"timeout","alerted":false}}

Find attached the original pcap


Files

malware.pcap (4.93 MB) malware.pcap Malware traffic Fanny Dwargee, 06/14/2017 10:31 AM

Related issues 1 (0 open1 closed)

Related to Suricata - Optimization #2272: Analyze DNS response if query is not presentRejectedJason IshActions
Actions #1

Updated by Fanny Dwargee over 7 years ago

Forget to add that the platform is:

~$ uname -a
Linux mad-dev 3.2.0-4-amd64 #1 SMP Debian 3.2.86-1 x86_64 GNU/Linux

Actions #2

Updated by Jason Ish over 7 years ago

Fanny Dwargee wrote:

Forget to add that the platform is:
[...]

Did you build with Rust support (--enable-rust)?

Actions #3

Updated by Fanny Dwargee over 7 years ago

No, just with --enable-unix-socket

Actions #4

Updated by Fanny Dwargee over 7 years ago

Do you want me to rebuild with that option?

Actions #5

Updated by Jason Ish over 7 years ago

Fanny Dwargee wrote:

Do you want me to rebuild with that option?

No. Just need to know which code to verify this with. But will check and fix against both.

Actions #6

Updated by Jason Ish over 7 years ago

  • Assignee set to Jason Ish
  • Target version set to 70
Actions #7

Updated by Fanny Dwargee over 7 years ago

Just FYI...

tested against Suricata v4.0.0-rc1 and the issue still persists

Actions #8

Updated by Jason Ish over 7 years ago

So unfortunately DNS does require the request to be seen first, and as this is a response with no request it won't get logged.

This is something we'll be looking into, but not in the 4.0 time frame as it does require some non-trivial changes.

Actions #9

Updated by Fanny Dwargee over 7 years ago

Ok, thank you so much for your time. :)

Actions #10

Updated by Victor Julien about 6 years ago

  • Status changed from New to Assigned
  • Target version changed from 70 to 5.0beta1

Working on protocol detection changes that will allow for proper flow reversal and toclient only streams, so when that is ready this can get addressed.

Actions #11

Updated by Victor Julien about 6 years ago

Actions #12

Updated by Victor Julien over 5 years ago

  • Target version changed from 5.0beta1 to 5.0rc1
Actions #13

Updated by Jason Ish about 5 years ago

  • Status changed from Assigned to Closed

Fixed and merged to master with commit:5f1d21f2479ecb29e50b4181e8b186e8c44db441

Actions

Also available in: Atom PDF