Project

General

Profile

Actions

Bug #7574

open

SURICATA DNS malformed request data from macOS to Active Directory DNS server

Added by Orion Poplawski about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

We are seeing this alert triggered by SOA record requests from a macOS client to our AD DNS server. pcap attached

{"timestamp":"2025-03-03T14:00:48.850734-0700","flow_id":262106604897803,"in_iface":"ovpns4","event_type":"alert","src_ip":"10.11.2.178","src_port":55840,"dest_ip":"10.10.11.10","dest_port":53,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2240002,"rev":2,"signature":"SURICATA DNS malformed request data","category":"Generic Protocol Command Decode","severity":3},"dns":{"version":2,"query":[{"type":"query","id":51417,"rrname":"ad.nwra.com","rrtype":"SOA","tx_id":0,"opcode":5}]},"app_proto":"dns","direction":"to_server","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":386,"bytes_toclient":326,"start":"2025-03-03T14:00:48.650850-0700","src_ip":"10.11.2.178","dest_ip":"10.10.11.10","src_port":55840,"dest_port":53},"payload":"AJTI2SgAAAEAAAABAAECYWQEbndyYQNjb20AAAYAAQVvdHRlcsAMAP8A/wAAAAAAAAo0MTA4NTA4Njc5DHNpZy1hZC1ibGQwMQJhZARud3JhA2NvbQAA+gD/AAAAAAA2CGdzcy10c2lnAAAAZ8YYgAEsABwEBAT//////wAAAAAMvHNE4pH0lq9PnN5cOm1nyNkAAAAA","payload_printable":"....(..........ad.nwra.com......otter............\n4108508679.sig-ad-bld01.ad.nwra.com..........6.gss-tsig...g....,................sD.....O..\\:mg......","stream":1,"packet":"AgAAAEUAADQAAEAAQAYY9AoLArIKCgsK2iAANUb4jjP/8Pe1gBAICUBZAAABAQgK6JN25VKgs0g=","packet_info":{"linktype":0}}


Files

mac-ad-dns.pcap.gz (69.9 KB) mac-ad-dns.pcap.gz Orion Poplawski, 03/03/2025 09:23 PM

No data to display

Actions

Also available in: Atom PDF