Project

General

Profile

Actions
Copy link

Bug #856

closed

FP on new Suricata git dns decoder

Added by rmkml rmkml over 11 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

Congrats for hard work on new git (yesterday) dns decoder,
but I have FP with it :

Joigned pcap file,

suricata-git4jul2013 -c suricata.yaml_dns -r suricatafpdnsdecoder.pcap
(only dns-events.rules and enabled dns log)

FP on log/fast.log:
07/04/2013-21:47:51.585903 [**] [1:2240006:1] SURICATA DNS Z flag set [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240005:1] SURICATA DNS Not a response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240001:1] SURICATA DNS Unsollicited response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597

more log/dns.log:
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] static.programme-tv.net [**] CNAME [**] TTL 630 [**] programme-tv.net.edgesuite.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] programme-tv.net.edgesuite.net [**] CNAME [**] TTL 20432 [**] a1859.g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] g.akamai.net [**] SOA [**] TTL 1000 [**] n0g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597

tshark output:
1 21:47:51.442123 192.168.42.150 -> 192.168.42.129 DNS Standard query 0xe71d A static.programme-tv.net
2 21:47:51.442148 192.168.42.150 -> 192.168.42.129 DNS Standard query 0x64b7 AAAA static.programme-tv.net
3 21:47:51.585903 192.168.42.129 -> 192.168.42.150 DNS Standard query response 0xe71d CNAME programme-tv.net.edgesuite.net CNAME a1859.g.akamai.net A 90.84.55.48 A 90.84.55.64
4 21:47:51.592983 192.168.42.129 -> 192.168.42.150 DNS Standard query response 0x64b7 CNAME programme-tv.net.edgesuite.net CNAME a1859.g.akamai.net

07/04/2013-21:47:51.585903 contains dns standard query response without DNS Z flag set.

Regards
@rmkml rmkml

Files

suricatafpdnsdecoder.pcap (653 Bytes) suricatafpdnsdecoder.pcap rmkml rmkml, 07/06/2013 06:45 AM
Actions
Copy link
 #1

Updated by rmkml rmkml over 11 years ago

Joigned pcap file.

Actions
Copy link
 #2

Updated by Victor Julien over 11 years ago

I can't reproduce this issue with this pcap. Peter, did you also have a pcap to show the issue?

I did see another issue though, our decoder seems to think pkt 2 is a teredo packet.

Actions
Copy link
 #3

Updated by Peter Manev over 11 years ago

1)
I can't reproduce it with the current git master either.

2)
On our test box I was seeing an insane amount of "Z flag" alerts with git master up to commit 92b7ffad6980da26d3faf789a804a8a12722bc7e

I notice it could be a problem to what it seemed a non Z flag dns packets - but I was addressing another issue and did not fully explore it.

Later this week I would double check that (since we are running some other tests at the moment on our test box and I can't stop Suri ).

I have tried running the pcap against the forementioned commit as well - no alerts, behaves as expected.

3)
I can confirm the teredo bug - it seems that the packet with the AAAA query is recognized as teredo.

Actions
Copy link
 #4

Updated by rmkml rmkml over 11 years ago

$ mkdir suricata_git7jul2013
$ cd suricata_git7jul2013
suricata_git7jul2013]$ git clone git://phalanx.openinfosecfoundation.org/oisf.git
...
suricata_git7jul2013]$ ./autogen.sh
suricata_git7jul2013]$ ./configure
suricata_git7jul2013]$ make
suricata_git7jul2013]$ git log
commit 6229bfab5e607edbf4f81ab6c87493d7729cec97
Author: Victor Julien <>
Date: Fri Jul 5 11:26:06 2013 +0200

DNS: rename dns.rules to dns-events.rules, include it in yaml
...

ok now small change on suricata.yaml (default-log-dir + disabled unified2 + enabled dns-log + default-rule-path + classification-file + reference-config-file)

$ export LD_LIBRARY_PATH=.../suricatagit7jul2013/libhtp/htp/.libs

$ .../suricata_git7jul2013/src/.libs/suricata -c suricata.yaml -r suricatafpdnsdecoder.pcap

$ more log/fast.log
07/04/2013-21:47:51.442123 [**] [1:2240006:1] SURICATA DNS Z flag set [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.150:55597 -> 192.168.42.129:53
07/04/2013-21:47:51.442123 [**] [1:2240004:1] SURICATA DNS Not a request [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.150:55597 -> 192.168.42.129:53
07/04/2013-21:47:51.442123 [**] [1:2240003:1] SURICATA DNS malformed response data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.150:55597 -> 192.168.42.129:53
07/04/2013-21:47:51.585903 [**] [1:2240006:1] SURICATA DNS Z flag set [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240005:1] SURICATA DNS Not a response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240001:1] SURICATA DNS Unsollicited response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597

$ more log/dns.log
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] static.programme-tv.net [**] CNAME [**] TTL 630 [**] programme-tv.net.edgesuite.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] programme-tv.net.edgesuite.net [**] CNAME [**] TTL 20432 [**] a1859.g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] g.akamai.net [**] SOA [**] TTL 1000 [**] n0g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597

Actions
Copy link
 #5

Updated by Victor Julien about 11 years ago

  • Target version set to TBD
Actions
Copy link
 #6

Updated by Andreas Herz about 8 years ago

  • Assignee set to OISF Dev
Actions
Copy link
 #7

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish
  • Target version changed from TBD to 70

Jason can you (re)check this as part of your DNS work?

Actions
Copy link
 #8

Updated by Victor Julien about 7 years ago

  • Status changed from Assigned to Closed
  • Assignee deleted (Jason Ish)
  • Target version deleted (70)

This works correctly now:

cat eve.json | jq -c 'select(.dns)|.dns'
{"type":"query","id":59165,"rrname":"static.programme-tv.net","rrtype":"A","tx_id":0}
{"type":"query","id":25783,"rrname":"static.programme-tv.net","rrtype":"AAAA","tx_id":1}
{"type":"answer","id":59165,"rcode":"NOERROR","rrname":"static.programme-tv.net","rrtype":"CNAME","ttl":630,"rdata":"programme-tv.net.edgesuite.net"}
{"type":"answer","id":59165,"rcode":"NOERROR","rrname":"programme-tv.net.edgesuite.net","rrtype":"CNAME","ttl":20432,"rdata":"a1859.g.akamai.net"}
{"type":"answer","id":59165,"rcode":"NOERROR","rrname":"a1859.g.akamai.net","rrtype":"A","ttl":14,"rdata":"90.84.55.48"}
{"type":"answer","id":59165,"rcode":"NOERROR","rrname":"a1859.g.akamai.net","rrtype":"A","ttl":14,"rdata":"90.84.55.64"}
{"type":"answer","id":25783,"rcode":"NOERROR","rrname":"static.programme-tv.net","rrtype":"CNAME","ttl":630,"rdata":"programme-tv.net.edgesuite.net"}
{"type":"answer","id":25783,"rcode":"NOERROR","rrname":"programme-tv.net.edgesuite.net","rrtype":"CNAME","ttl":20432,"rdata":"a1859.g.akamai.net"}
{"type":"answer","id":25783,"rcode":"NOERROR","rrname":"g.akamai.net","rrtype":"SOA","ttl":1000}

Actions
Copy link

Also available in: Atom PDF