Bug #5444
closeddns: allow dns messages with invalid opcodes
Description
Current a DNS message won't be detected as DNS if the opcode is considered invalid (greater than 7). We should probably accept any opcode, and then use rules to alert on invalid opcodes.
Research: Will this detect too much non DNS as DNS?
Files
Updated by Jason Taylor over 2 years ago
- File opcode8.pcap opcode8.pcap added
just adding a sample udp dns query with opcode of 8 set. With the change discussed in this ticket, a signature such as 'alert dns any any -> any any (msg:"dns opcode 8"; dns.opcode:8; sid:123; rev:1;)' run against the attached pcap would alert.
Updated by Philippe Antoine over 2 years ago
To be noted : now that https://github.com/OISF/suricata/pull/7320 got merged, if a client sends junk to a DNS server, suricata will recognize the protocol as DNS (with app_proto_tc: failed)
Updated by Victor Julien over 2 years ago
- Priority changed from Normal to High
- Label Needs backport to 6.0 added
Updated by Victor Julien over 2 years ago
@Philippe Antoine are you saying that in master this issue is resolved (by the PR you mentioned)?
Updated by Philippe Antoine over 2 years ago
That depends on how you define the issue.
If a DNS server uses invalid opcodes, as in the attached pcap, this issue is not resolved.
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Jason Ish about 2 years ago
- Status changed from In Progress to In Review
Updated by Philippe Antoine almost 2 years ago
This ticket looks strange to me... What is the use case ?
Updated by Jason Ish almost 2 years ago
Detect DNS with invalid opcodes. Currently if a DNS message has a bad opcode we don't detect it as DNS, even if it is.. Perhaps some DNS trickery.. We go blind to it. Bettern to parse it as DNS and provide the ability to detect invalid opcodes.
Updated by Jason Ish almost 2 years ago
- Status changed from In Review to Resolved
Merged into master.
Updated by Victor Julien almost 2 years ago
- Status changed from Resolved to Closed
Updated by Victor Julien over 1 year ago
- Related to Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport) added