Project

General

Profile

Actions

Bug #7004

open

app-layer: wrong tx may be logged for stream rules

Added by Jason Ish 8 months ago. Updated 7 months ago.

Status:
In Progress
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

[Private as it discusses an issue where DNS transactions are missed]

In IDS mode, transaction handling appears to be off, and there exists a discrepancy between IDS and IPS modes. While pointed out in PGSQL, I believe DNS presents a simpler reproduction case just being a simpler protocol with less state.

The test PCAP (dns-tcp-multi-5.pcap) contains 1 TCP session with 3 DNS requests/responses, in order.
- 1) Request/response for suricata.io
- 2) Request/response for oisf.net
- 3) Request/response for google.com

One rule is used:

alert dns any any -> any any (msg:"DNS suricata"; content:"suricata"; sid:1; rev:1;)

Issue 1. IDS Mode

Using a default Suricata configuration:

suricata -S test.rules -r dns-tcp-multi-5.pcap

Observations:
- 2 alerts, logged matching on the "suricata" in the DNS stream
- The transaction in both alerts contain the data from the 3rd transaction, which is for "google.com", which is misleading.

Issue:
- The wrong transaction data is logged. This is very similar to what is being seen in #7000.

Issue 2. IPS Mode

Run the same test above, but in IPS simulation mode:

suricata -S test.rules -r dns-tcp-multi-5.pcap --simulate-ips

Observations:
- 6 alerts logged, one for each request and response
- Given the alert, and pcap_cnt, the tx data seems to be correct. TX data for each request and response is seen.

Issue:
- One might expect to get only 2 alerts in this scenario.

Summary

Being a stream rule there is no direct correlation between the match and the transaction logged. Generally logging the wrong data is worse than not logging it at all, so one idea would be to not log the transaction data in this case. For DNS, most TCP DNS sessions contain one transaction, so maybe in some cases we know we're going to log the correct tx, but in others we know it might not be the correct transaction.

I'm not sure about the IPS issue, I brought it up as it differs from IDS mode, but may be a separate issue.


Files

dns-tcp-multi-other.pcap (1.16 KB) dns-tcp-multi-other.pcap Jason Ish, 05/02/2024 05:20 PM
dns-tcp-multi-4.pcap (1.82 KB) dns-tcp-multi-4.pcap Jason Ish, 05/02/2024 05:20 PM
dns-udp-multi.pcap (622 Bytes) dns-udp-multi.pcap Jason Ish, 05/02/2024 05:20 PM
dns-tcp-multi.pcap (1.42 KB) dns-tcp-multi.pcap Jason Ish, 05/02/2024 05:20 PM
test.rules (85 Bytes) test.rules Jason Ish, 05/02/2024 05:21 PM
eve-rules-2-3.json (4.73 KB) eve-rules-2-3.json Juliana Fajardini Reichow, 05/09/2024 07:52 PM
eve-more-tx-ids-et-rules.json (6.24 KB) eve-more-tx-ids-et-rules.json Juliana Fajardini Reichow, 05/09/2024 07:52 PM
20240512_184916.jpg (4.05 MB) 20240512_184916.jpg attempt at picturing DNS transaction seen in dns-tcp-multi, in IDS mode Juliana Fajardini Reichow, 05/12/2024 09:56 PM
dns-tcp-multi-5.pcap (1.47 KB) dns-tcp-multi-5.pcap Jason Ish, 06/04/2024 03:50 PM

Related issues 3 (1 open2 closed)

Related to Suricata - Bug #7000: pgsql: trigger raw stream reassemblyClosedJuliana Fajardini ReichowActions
Related to Suricata - Optimization #7018: dns/tcp: allow triggering raw stream reassemblyClosedJuliana Fajardini ReichowActions
Related to Suricata - Optimization #7026: app-protos: trigger raw stream reassemblyNewOISF DevActions
Actions

Also available in: Atom PDF