Bug #4178
open
DNS Query triggers alert but no output in alert-debug.log
Added by Andreas Herz almost 4 years ago.
Updated over 1 year ago.
Description
If you run this rule:
alert dns $HOME_NET any -> any any (msg:"BAR"; dns.query; content:"suricata-ids.org"; sid:1337; rev:1;)
against the attached pcap or do the lookup `dig -t A suricata-ids.org` and listen on the interface you will trigger the correct alert but won't see any alert-debug.log output.
Files
+================
TIME: 11/23/2020-22:52:41.140580
PKT SRC: wire/pcap
SRC IP: 10.23.0.135
DST IP: 8.8.8.8
PROTO: 17
SRC PORT: 37906
DST PORT: 53
FLOW: to_server: TRUE, to_client: FALSE
FLOW Start TS: 11/23/2020-22:52:41.140580
FLOW PKTS TODST: 1
FLOW PKTS TOSRC: 0
FLOW Total Bytes: 99
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: FALSE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 11
PACKET LEN: 99
PACKET:
0000 F4 90 EA 00 25 CE 00 1B 21 22 46 10 08 00 45 00 ....%... !"F...E.
0010 00 55 B2 D3 00 00 40 11 AD 17 0A 17 00 87 08 08 .U....@. ........
0020 08 08 94 12 00 35 00 41 1B 00 1F 67 01 20 00 01 .....5.A ...g. ..
0030 00 00 00 00 00 01 0C 73 75 72 69 63 61 74 61 2D .......s uricata-
0040 69 64 73 03 6F 72 67 00 00 01 00 01 00 00 29 10 ids.org. ......).
0050 00 00 00 00 00 00 0C 00 0A 00 08 20 E8 33 93 11 ........ ... .3..
0060 76 FD BA v..
ALERT CNT: 1
ALERT MSG [00]: BAR
ALERT GID [00]: 1
ALERT SID [00]: 1337
ALERT REV [00]: 1
ALERT CLASS [00]: <none>
ALERT PRIO [00]: 3
ALERT FOUND IN [00]: PACKET
ALERT IN TX [00]: N/A
PAYLOAD LEN: 57
PAYLOAD:
0000 1F 67 01 20 00 01 00 00 00 00 00 01 0C 73 75 72 .g. .... .....sur
0010 69 63 61 74 61 2D 69 64 73 03 6F 72 67 00 00 01 icata-id s.org...
0020 00 01 00 00 29 10 00 00 00 00 00 00 0C 00 0A 00 ....)... ........
0030 08 20 E8 33 93 11 76 FD BA . .3..v. .
If you enforce it live with a rule like
alert ip $HOME_NET any -> any any (msg:"BAR"; content:"suricata-ids"; sid:1337; rev:1;)
Also available in: Atom
PDF