Bug #7574
openSURICATA DNS malformed request data from macOS to Active Directory DNS server
Description
We are seeing this alert triggered by SOA record requests from a macOS client to our AD DNS server. pcap attached
{"timestamp":"2025-03-03T14:00:48.850734-0700","flow_id":262106604897803,"in_iface":"ovpns4","event_type":"alert","src_ip":"10.11.2.178","src_port":55840,"dest_ip":"10.10.11.10","dest_port":53,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2240002,"rev":2,"signature":"SURICATA DNS malformed request data","category":"Generic Protocol Command Decode","severity":3},"dns":{"version":2,"query":[{"type":"query","id":51417,"rrname":"ad.nwra.com","rrtype":"SOA","tx_id":0,"opcode":5}]},"app_proto":"dns","direction":"to_server","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":386,"bytes_toclient":326,"start":"2025-03-03T14:00:48.650850-0700","src_ip":"10.11.2.178","dest_ip":"10.10.11.10","src_port":55840,"dest_port":53},"payload":"AJTI2SgAAAEAAAABAAECYWQEbndyYQNjb20AAAYAAQVvdHRlcsAMAP8A/wAAAAAAAAo0MTA4NTA4Njc5DHNpZy1hZC1ibGQwMQJhZARud3JhA2NvbQAA+gD/AAAAAAA2CGdzcy10c2lnAAAAZ8YYgAEsABwEBAT//////wAAAAAMvHNE4pH0lq9PnN5cOm1nyNkAAAAA","payload_printable":"....(..........ad.nwra.com......otter............\n4108508679.sig-ad-bld01.ad.nwra.com..........6.gss-tsig...g....,................sD.....O..\\:mg......","stream":1,"packet":"AgAAAEUAADQAAEAAQAYY9AoLArIKCgsK2iAANUb4jjP/8Pe1gBAICUBZAAABAQgK6JN25VKgs0g=","packet_info":{"linktype":0}}
Files
No data to display