Bug #6789
open
Dns remarks without showing dns name
Added by JP Pozzi 10 months ago.
Updated 6 months ago.
Description
Hello,
While usinf Suricata 7.02 or 7.03 I found that some alerts are lacking info.
I find aone for the message :
ET POLICY Unusual number of DNS No Such Name Responses
The DNS name is not in the alert file ... it is ennoying.
Regards
JP P
Files
- Status changed from New to Feedback
A PCAP will be required to investigate further. It looks like this rule could easily alert on data that is not DNS, in which case there wouldn't be any DNS information to log.
Hello,
It was OK in the previous versions (6). One other rule does not display usable information :
"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"
The Json info in the alert file is null : {}, in previous version the display was meaningful.
Regards
JP P
It is the sameproblem with the rule :
"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"
No information is in the json file.
Regards
JP P
- Affected Versions 7.0.3 added
Hello,
Another message without any elements given in the alert file :
ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
and no information in the eve alert file.
Regards
JP P
Hello,
The message :
"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)" is not associated with any value in the eve file.
Regards
JP P
Hello,
All the small problems described here does not exist in the version 6,
not having enough information to understand an alert is like not receiving the alert.
It is possible to name it : regression.
A lot of the signatures mentioned here require a threshold.
however ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
AKA 2001375 does not so I thought that might be a good candidate to test with.
I was unable to replicate this issue. I tested with 6.0.0, 6.0.16, 7.0.0 and 7.0.4
7.0.4 alert output of the attached pcap
https://gist.github.com/zoomequipd/f6251494737b74dcbbf9f6ac8c9bed05
All of them appeared to have accurate information within the alert event type in the eve json.
@JP Pozzi would you be able to provide information to replicate your issue? A pcap, the suricata.yaml and the command line you are using to start suricata would be a good start.
Are you able to provide what exact version of 6.x you reference here
It was OK in the previous versions (6). One other rule does not display usable information
- Affected Versions 7.0.5 added
- Affected Versions deleted (
7.0.3)
Hello,
About the DNS "problem" the information of the "offender" is present in
the server response, I try to follow the network activity on UDP/53 with
wireshark and I get the following data (csv format from wireshark) :
127 24.191888682 127.0.0.1 127.0.0.1 DNS 131 Standard query response 0x1871 No such name A xxxtf1.fr SOA a.nic.fr
The "offender" xxxtf1.fr is visible but is not present in the json file.
Remark : it seems OK in the dev version 8.
Regards
JP P
Also available in: Atom
PDF