Project

General

Profile

Actions

Support #7281

open

DNS Alerts Only Triggering on UDP, Not TCP – Is This Normal?

Added by Carlos Melero 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Affected Versions:
Label:

Description

Hi everyone,

I'm a beginner with Security Onion, so I hope I'm asking this the right way!

I'm using Security Onion with Suricata running in Docker (version 7.0.6). I’ve noticed that DNS-related alerts are only being generated when the protocol is UDP, but not for TCP.

Is this expected behavior, or could it be a bug or misconfiguration on my end?

Any help or guidance would be greatly appreciated.

Thank you in advance!

Best regards,
Carlos

Actions #1

Updated by Jason Ish 3 months ago

  • Tracker changed from Bug to Support
  • Target version deleted (TBD)

This is not normal, and we have many tests to show that it does work on TCP.

I'd first try reaching out via Security Onion support channels, I'm pretty sure they are not using a default configuration so they may be able to provide further insight.

Actions #2

Updated by Carlos Melero 3 months ago

Thank you Jason, I have already ask to SO community.

This is the info I have seen in SO:

I can see in the dashboard this event:

@timestamp 2024-09-26T06:25:08.312Z
@Version 1
client.ip 10.1.100.51
client.port 60874
container.id dns.log
data_stream.dataset zeek
data_stream.namespace so
data_stream.type logs
destination.geo.continent_name North America
destination.geo.country_iso_code US
destination.geo.country_name United States
destination.geo.ip 8.8.8.8
destination.geo.location.lat 37.751
destination.geo.location.lon -97.822
destination.geo.timezone America/Chicago
destination.ip 8.8.8.8
destination.port 53
destination_geo.asn 15169
destination_geo.ip 8.8.8.8
destination_geo.network 8.8.8.0/24
destination_geo.organization_name GOOGLE
dns.answers.name [
"34.117.59.81"
]
dns.authoritative false
dns.highest_registered_domain ipinfo.io
dns.id 53784
dns.parent_domain ipinfo
dns.parent_domain_length 6
dns.query.class 1
dns.query.class_name C_INTERNET
dns.query.length 9
dns.query.name ipinfo.io
dns.query.rejected false
dns.query.type 1
dns.query.type_name A
dns.recursion.available true
dns.recursion.desired true
dns.reserved 0
dns.response.code 0
dns.response.code_name NOERROR
dns.top_level_domain io
dns.truncated false
dns.ttls [ 49]
ecs.version 8.0.0
elastic_agent.id 4a0cb520-ca78-40e9-b66e-90f2de36ad30
elastic_agent.snapshot false
elastic_agent.version 8.10.4
event.category network
event.dataset zeek.dns
event.duration 0.00477290153503418
event.ingested 2024-09-26T06:25:09.860Z
event.module zeek
input.type log
log.file.path /nsm/zeek/logs/current/dns.log
log.id.uid CTLwA199ELJSuRBMj
log.offset 10350889
message {"ts":1727331908.312627,"uid":"CTLwA199ELJSuRBMj","id.orig_h":"10.1.100.51","id.orig_p":60874,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","trans_id":53784,"rtt":0.00477290153503418,"query":"ipinfo.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["34.117.59.81"],"TTLs":[49.0],"rejected":false}

metadata.beat filebeat
metadata.input.beats.host.ip 10.1.82.100
metadata.input_id logfile-logs-zeek-logs
metadata.pipeline zeek.dns
metadata.raw_index logs-zeek-so
metadata.stream_id logfile-log.logs-zeek-logs
metadata.type _doc
metadata.version 8.10.4
network.community_id 1:+fZHWkfe5Y1Nl657JLMMV7nBpy4=
network.transport udp
observer.name sv-xxxxxx
pipeline dns
server.ip 8.8.8.8
server.port 53
source.ip 10.1.100.51
source.port 60874
tags [
"elastic-agent",
"input-sv-xxxxxxx",
"beats_input_codec_plain_applied",
"dns"
]
soc_id 2WwBLZIBLSa1K9HLSXd7
soc_score 10.0261345
soc_type
soc_timestamp 2024-09-26T06:25:08.312Z
soc_source sv-xxxxxx:.ds-logs-zeek-so-2024.08.29-000001

And this alert:

@timestamp 2024-09-26T06:25:08.312Z
@Version 1
data_stream.dataset suricata
data_stream.namespace so
data_stream.type logs
destination.geo.continent_name North America
destination.geo.country_iso_code US
destination.geo.country_name United States
destination.geo.ip 8.8.8.8
destination.geo.location.lat 37.751
destination.geo.location.lon -97.822
destination.geo.timezone America/Chicago
destination.ip 8.8.8.8
destination.port 53
destination_geo.asn 15169
destination_geo.ip 8.8.8.8
destination_geo.network 8.8.8.0/24
destination_geo.organization_name GOOGLE
ecs.version 8.0.0
elastic_agent.id 4a0cb520-ca78-40e9-b66e-90f2de36ad30
elastic_agent.snapshot false
elastic_agent.version 8.10.4
event.category network
event.dataset suricata.alert
event.ingested 2024-09-26T06:25:15.991Z
event.module suricata
event.severity 2
event.severity_label medium
input.type log
log.file.path /nsm/suricata/eve-2024-09-26-05:51.json
log.id.uid 1342726876629227
log.offset 1246133
message {"timestamp":"2024-09-26T06:25:08.312627+0000","flow_id":1342726876629227,"in_iface":"bond0","event_type":"alert","vlan":[1],"src_ip":"10.1.100.51","src_port":60874,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","community_id":"1:+fZHWkfe5Y1Nl657JLMMV7nBpy4=","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2054168,"rev":1,"signature":"ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)","category":"Device Retrieving External IP Address Detected","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_and_Server"],"confidence":["High"],"created_at":["2024_06_28"],"deployment":["Perimeter"],"performance_impact":["Low"],"signature_severity":["Informational"],"tag":["External_IP_Lookup"],"updated_at":["2024_06_28"]},"rule":"alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)"; dns.query; bsize:9; content:"ipinfo.io"; nocase; reference:url,github.com/chubin/awesome-console-services; classtype:external-ip-check; sid:2054168; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2024_06_28, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, tag External_IP_Lookup, updated_at 2024_06_28;)"},"app_proto":"dns","direction":"to_server","payload_printable":".............ipinfo.io.......)........","stream":0,"packet":"AABeAAEBkLEcN2IqgQAAAQgARQAAQuUUAACAEddSCgFkMwgICAjtygA1AC7wv9IYAQAAAQAAAAAAAQZpcGluZm8CaW8AAAEAAQAAKQ+gAAAAAAAA","packet_info":{"linktype":1}}
metadata.beat filebeat
metadata.input.beats.host.ip 10.1.82.100
metadata.input_id logfile-logs-3c2f526b-bce7-494c-95fd-f3f8d5b73dbd
metadata.pipeline suricata.common
metadata.raw_index logs-suricata-so
metadata.stream_id logfile-log.logs-3c2f526b-bce7-494c-95fd-f3f8d5b73dbd
metadata.type _doc
metadata.version 8.10.4
network.community_id 1:+fZHWkfe5Y1Nl657JLMMV7nBpy4=
network.data.decoded .............ipinfo.io.......)........
network.packet_source wire/pcap
network.transport UDP
network.vlan.id [ 1]
observer.ingress.interface.name bond0
observer.name sv-xxxxxxx
rule.action allowed
rule.category Device Retrieving External IP Address Detected
rule.gid 1
rule.metadata.affected_product [ "Any"]
rule.metadata.attack_target [ "Client_and_Server"]
rule.metadata.confidence [ "High"]
rule.metadata.created_at [ "2024_06_28"]
rule.metadata.deployment [ "Perimeter"]
rule.metadata.performance_impact [ "Low"]
rule.metadata.signature_severity [ "Informational"]
rule.metadata.tag [ "External_IP_Lookup"]
rule.metadata.updated_at [ "2024_06_28"]
rule.name ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
rule.reference https://community.emergingthreats.net
rule.rev 1
rule.rule alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)"; dns.query; bsize:9; content:"ipinfo.io"; nocase; reference:url,github.com/chubin/awesome-console-services; classtype:external-ip-check; sid:2054168; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2024_06_28, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, tag External_IP_Lookup, updated_at 2024_06_28;)
rule.ruleset Emerging Threats
rule.severity 2
rule.uuid 2054168
source.ip 10.1.100.51
source.port 60874
tags [ "alert",
"alert"]
soc_id dWwBLZIBLSa1K9HLY3nn
soc_score 2
soc_type
soc_timestamp 2024-09-26T06:25:08.312Z
soc_source sv-xxx:.ds-logs-suricata.alerts-so-2024.09.26-000028

I can see this other event. It's not generating any alert. That is (to my eyes) exactly the same, only changes the IP, port and it's using TCP instead of UDP:

@timestamp 2024-09-26T06:27:45.235Z
@Version 1
client.ip 10.1.80.84
client.port 59333
container.id dns.log
data_stream.dataset zeek
data_stream.namespace so
data_stream.type logs
destination.geo.continent_name North America
destination.geo.country_iso_code US
destination.geo.country_name United States
destination.geo.ip 8.8.8.8
destination.geo.location.lat 37.751
destination.geo.location.lon -97.822
destination.geo.timezone America/Chicago
destination.ip 8.8.8.8
destination.port 53
destination_geo.asn 15169
destination_geo.ip 8.8.8.8
destination_geo.network 8.8.8.0/24
destination_geo.organization_name GOOGLE
dns.answers.name [ "34.117.59.81"]
dns.authoritative false
dns.highest_registered_domain ipinfo.io
dns.id 40264
dns.parent_domain ipinfo
dns.parent_domain_length 6
dns.query.class 1
dns.query.class_name C_INTERNET
dns.query.length 9
dns.query.name ipinfo.io
dns.query.rejected false
dns.query.type 1
dns.query.type_name A
dns.recursion.available true
dns.recursion.desired true
dns.reserved 0
dns.response.code 0
dns.response.code_name NOERROR
dns.top_level_domain io
dns.truncated false
dns.ttls [ 33]
ecs.version 8.0.0
elastic_agent.id 4a0cb520-ca78-40e9-b66e-90f2de36ad30
elastic_agent.snapshot false
elastic_agent.version 8.10.4
event.category network
event.dataset zeek.dns
event.duration 0.004307985305786133
event.ingested 2024-09-26T06:27:47.036Z
event.module zeek
input.type log
log.file.path /nsm/zeek/logs/current/dns.log
log.id.uid CAPymf4J84E5cW0dp8
log.offset 11742813
message {"ts":1727332065.235076,"uid":"CAPymf4J84E5cW0dp8","id.orig_h":"10.1.80.84","id.orig_p":59333,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"tcp","trans_id":40264,"rtt":0.004307985305786133,"query":"ipinfo.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["34.117.59.81"],"TTLs":[33.0],"rejected":false}
metadata.beat filebeat
metadata.input.beats.host.ip 10.1.82.100
metadata.input_id logfile-logs-zeek-logs
metadata.pipeline zeek.dns
metadata.raw_index logs-zeek-so
metadata.stream_id logfile-log.logs-zeek-logs
metadata.type _doc
metadata.version 8.10.4
network.community_id 1:KU/qz7AiOBS7REm5Wz8m5hmcszM=
network.transport tcp
observer.name sv-xxxxxxx
pipeline dns
server.ip 8.8.8.8
server.port 53
source.ip 10.1.80.84
source.port 59333
tags [ "elastic-agent",
"input-sv-xxxxxxx", "beats_input_codec_plain_applied",
"dns"]
soc_id B2wDLZIBLSa1K9HLrqpJ
soc_score 10.060717
soc_type
soc_timestamp 2024-09-26T06:27:45.235Z
soc_source sv-xxxxxxx:.ds-logs-zeek-so-2024.08.29-000001

The HOME_NET is 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

There are many evets like these, all with the same behavior. Alerts area created only when protocol is TCP or... anything ese I can't see.

Regards

Actions

Also available in: Atom PDF