Project

General

Profile

Actions

Bug #5941

closed

DNS rules not matching when traffic is over tcp

Added by Giuseppe Longo almost 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I've found out that when dns traffic is over tcp and multiple dns rules are loaded,
they don't match when they should be.

The issue can be reproduced running suricata with the pcap from 'suricata-verify/tests/dns-tcp-www-google-com/' directory
with the following rules:

alert dns any any -> any any (msg:"Test dns.query"; dns.query; content:"google"; sid:1;)
alert dns any any -> any any (msg:"Test dns.opcode"; dns.opcode:0; flow:to_client; sid:2;)

Few lines from suricata:

Info: detect: 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete [SigAddressPrepareStage1:detect-engine-build.c:1486]
Info: pcap: pcap file /home/gl/git/suricata-verify/tests/dns-tcp-www-google-com/dns.pcap end of file reached (pcap err code 0) [PcapFileDispatch:source-pcap-file-helper.c:163]
Info: counters: Alerts: 0 [StatsLogSummary:counters.c:871]

If only one rule is loaded, there is a match:

- sid 1:

Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: counters: Alerts: 1 [StatsLogSummary:counters.c:871]

> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")' | jq .
{
  "timestamp": "2017-01-26T21:16:58.270740+0100",
  "flow_id": 828390012614559,
  "pcap_cnt": 7,
  "event_type": "alert",
  "src_ip": "10.16.1.11",
  "src_port": 38195,
  "dest_ip": "8.8.4.4",
  "dest_port": 53,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1,
    "rev": 0,
    "signature": "Test dns.query",
    "category": "",
    "severity": 3
  },
  "dns": {
    "query": [
      {
        "type": "query",
        "id": 24440,
        "rrname": "www.google.com",
        "rrtype": "A",
        "tx_id": 0,
        "opcode": 0
      }
    ]
  },
  "app_proto": "dns",
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 3,
    "bytes_toserver": 329,
    "bytes_toclient": 443,
    "start": "2017-01-26T21:16:58.192874+0100",
    "src_ip": "10.16.1.11",
    "dest_ip": "8.8.4.4",
    "src_port": 38195,
    "dest_port": 53
  }
}

- sid 2:

Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: counters: Alerts: 1 [StatsLogSummary:counters.c:871]

> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")' | jq .
{
  "timestamp": "2017-01-26T21:16:58.309447+0100",
  "flow_id": 828391467481599,
  "pcap_cnt": 9,
  "event_type": "alert",
  "src_ip": "8.8.4.4",
  "src_port": 53,
  "dest_ip": "10.16.1.11",
  "dest_port": 38195,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 1,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2,
    "rev": 0,
    "signature": "Test dns.opcode",
    "category": "",
    "severity": 3
  },
  "dns": {
    "answer": {
      "version": 2,
      "type": "answer",
      "id": 24440,
      "flags": "8180",
      "qr": true,
      "rd": true,
      "ra": true,
      "opcode": 0,
      "rrname": "www.google.com",
      "rrtype": "A",
      "rcode": "NOERROR" 
    }
  },
  "app_proto": "dns",
  "direction": "to_client",
  "flow": {
    "pkts_toserver": 5,
    "pkts_toclient": 4,
    "bytes_toserver": 395,
    "bytes_toclient": 509,
    "start": "2017-01-26T21:16:58.192874+0100",
    "src_ip": "10.16.1.11",
    "dest_ip": "8.8.4.4",
    "src_port": 38195,
    "dest_port": 53
  }
}

When the traffic is over udp, the rules works properly:

Info: detect: 1 rule files processed. 2 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: pcap: Starting file run for /home/gl/git/suricata-verify/tests/dns-opcode/dns-notify.pcap [ReceivePcapFileLoop:source-pcap-file.c:179]
Info: counters: Alerts: 2 [StatsLogSummary:counters.c:871]

> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")
{"timestamp":"2013-09-23T23:05:00.840155+0200","flow_id":1356640486569935,"pcap_cnt":1,"event_type":"alert","src_ip":"217.70.190.232","src_port":55612,"dest_ip":"204.62.14.153","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":0,"signature":"Test dns.query","category":"","severity":3},"dns":{"query":[{"type":"query","id":38504,"rrname":"bortzmeyer.42","rrtype":"SOA","tx_id":0,"opcode":4}]},"app_proto":"dns","direction":"to_server","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":165,"bytes_toclient":0,"start":"2013-09-23T23:05:00.840155+0200","src_ip":"217.70.190.232","dest_ip":"204.62.14.153","src_port":55612,"dest_port":53}}
{"timestamp":"2013-09-23T23:05:00.840411+0200","flow_id":1356640486569935,"pcap_cnt":2,"event_type":"alert","src_ip":"204.62.14.153","src_port":53,"dest_ip":"217.70.190.232","dest_port":55612,"proto":"UDP","pkt_src":"wire/pcap","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":0,"signature":"Test dns.opcode","category":"","severity":3},"dns":{"answer":{"version":2,"type":"answer","id":38504,"flags":"a400","qr":true,"aa":true,"opcode":4,"rrname":"bortzmeyer.42","rrtype":"SOA","rcode":"NOERROR"}},"app_proto":"dns","direction":"to_client","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":165,"bytes_toclient":73,"start":"2013-09-23T23:05:00.840155+0200","src_ip":"217.70.190.232","dest_ip":"204.62.14.153","src_port":55612,"dest_port":53}}
Actions #1

Updated by Philippe Antoine about 1 year ago

  • Status changed from New to Closed

With updating suricata.yaml for this S-V test dns-tcp-www-google-com

diff --git a/tests/dns-tcp-www-google-com/suricata.yaml b/tests/dns-tcp-www-google-com/suricata.yaml
index 6bc3c0de..889d62ed 100644
--- a/tests/dns-tcp-www-google-com/suricata.yaml
+++ b/tests/dns-tcp-www-google-com/suricata.yaml
@@ -9,4 +9,5 @@ outputs:
   - eve-log:
       enabled: yes
       types:
+        - alert
         - dns:

And adding test.rules

alert dns any any -> any any (msg:"Test dns.query"; dns.query; content:"google"; sid:1;)
alert dns any any -> any any (msg:"Test dns.opcode"; dns.opcode:0; flow:to_client; sid:2;)

I get the alerts as expected with latest suricata master commit c8a7204b159553d338a6294218e696a72efdb4db

jq .alert output/eve.json | more
null
{
  "action": "allowed",
  "gid": 1,
  "signature_id": 1,
  "rev": 0,
  "signature": "Test dns.query",
  "category": "",
  "severity": 3
}
null
{
  "action": "allowed",
  "gid": 1,
  "signature_id": 2,
  "rev": 0,
  "signature": "Test dns.opcode",
  "category": "",
  "severity": 3
}

Actions #2

Updated by Philippe Antoine about 1 year ago

@Giuseppe Longo let me know if you still encounter a bug here

Actions #3

Updated by Brandon Murphy about 1 year ago

FWIW, I could replicate this in 6.0.0 but not 6.0.13. I'm not sure where it got resolved in the 6.x branch, but it appears to have been resolved.

I could not replicate it on any 7.0.0 or 7.0.3-dev.

EDIT** Looks like it was resolved in 6.0.11 - here are the resolved tickets in 6.0.11, https://redmine.openinfosecfoundation.org/versions/187

Actions

Also available in: Atom PDF