Bug #856: FP on new Suricata git dns decoder - Suricata - Open Information Security Foundation

Actions

Copy link

#1

Updated by rmkml rmkml over 11 years ago

File suricatafpdnsdecoder.pcap suricatafpdnsdecoder.pcap added

Joigned pcap file.

Actions

Copy link

#2

Updated by Victor Julien over 11 years ago

I can't reproduce this issue with this pcap. Peter, did you also have a pcap to show the issue?

I did see another issue though, our decoder seems to think pkt 2 is a teredo packet.

Actions

Copy link

#3

Updated by Peter Manev over 11 years ago

1)
I can't reproduce it with the current git master either.

2)
On our test box I was seeing an insane amount of "Z flag" alerts with git master up to commit 92b7ffad6980da26d3faf789a804a8a12722bc7e

I notice it could be a problem to what it seemed a non Z flag dns packets - but I was addressing another issue and did not fully explore it.

Later this week I would double check that (since we are running some other tests at the moment on our test box and I can't stop Suri ).

I have tried running the pcap against the forementioned commit as well - no alerts, behaves as expected.

3)
I can confirm the teredo bug - it seems that the packet with the AAAA query is recognized as teredo.

Actions

Copy link

#4

Updated by rmkml rmkml over 11 years ago

$ mkdir suricata_git7jul2013
$ cd suricata_git7jul2013
suricata_git7jul2013]$ git clone git://phalanx.openinfosecfoundation.org/oisf.git
...
suricata_git7jul2013]$ ./autogen.sh
suricata_git7jul2013]$ ./configure
suricata_git7jul2013]$ make
suricata_git7jul2013]$ git log
commit 6229bfab5e607edbf4f81ab6c87493d7729cec97
Author: Victor Julien <victor@inliniac.net>
Date: Fri Jul 5 11:26:06 2013 +0200

DNS: rename dns.rules to dns-events.rules, include it in yaml
...

ok now small change on suricata.yaml (default-log-dir + disabled unified2 + enabled dns-log + default-rule-path + classification-file + reference-config-file)

$ export LD_LIBRARY_PATH=.../suricatagit7jul2013/libhtp/htp/.libs

$ .../suricata_git7jul2013/src/.libs/suricata -c suricata.yaml -r suricatafpdnsdecoder.pcap

$ more log/fast.log
07/04/2013-21:47:51.442123 [**] [1:2240006:1] SURICATA DNS Z flag set [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.150:55597 -> 192.168.42.129:53
07/04/2013-21:47:51.442123 [**] [1:2240004:1] SURICATA DNS Not a request [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.150:55597 -> 192.168.42.129:53
07/04/2013-21:47:51.442123 [**] [1:2240003:1] SURICATA DNS malformed response data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.150:55597 -> 192.168.42.129:53
07/04/2013-21:47:51.585903 [**] [1:2240006:1] SURICATA DNS Z flag set [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240005:1] SURICATA DNS Not a response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] [1:2240001:1] SURICATA DNS Unsollicited response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597

$ more log/dns.log
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] static.programme-tv.net [**] CNAME [**] TTL 630 [**] programme-tv.net.edgesuite.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] programme-tv.net.edgesuite.net [**] CNAME [**] TTL 20432 [**] a1859.g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] g.akamai.net [**] SOA [**] TTL 1000 [**] n0g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597

Actions

Copy link

#5

Updated by Victor Julien about 11 years ago

Target version set to TBD

Actions

Copy link

#6

Updated by Andreas Herz about 8 years ago

Assignee set to OISF Dev

Actions

Copy link

#7

Updated by Victor Julien over 7 years ago

Status changed from New to Assigned
Assignee changed from OISF Dev to Jason Ish
Target version changed from TBD to 70

Jason can you (re)check this as part of your DNS work?

Actions

Copy link

#8

Updated by Victor Julien about 7 years ago

Status changed from Assigned to Closed
Assignee deleted (~~Jason Ish~~)
Target version deleted (70)

This works correctly now:

cat eve.json | jq -c 'select(.dns)|.dns'
{"type":"query","id":59165,"rrname":"static.programme-tv.net","rrtype":"A","tx_id":0}
{"type":"query","id":25783,"rrname":"static.programme-tv.net","rrtype":"AAAA","tx_id":1}
{"type":"answer","id":59165,"rcode":"NOERROR","rrname":"static.programme-tv.net","rrtype":"CNAME","ttl":630,"rdata":"programme-tv.net.edgesuite.net"}
{"type":"answer","id":59165,"rcode":"NOERROR","rrname":"programme-tv.net.edgesuite.net","rrtype":"CNAME","ttl":20432,"rdata":"a1859.g.akamai.net"}
{"type":"answer","id":59165,"rcode":"NOERROR","rrname":"a1859.g.akamai.net","rrtype":"A","ttl":14,"rdata":"90.84.55.48"}
{"type":"answer","id":59165,"rcode":"NOERROR","rrname":"a1859.g.akamai.net","rrtype":"A","ttl":14,"rdata":"90.84.55.64"}
{"type":"answer","id":25783,"rcode":"NOERROR","rrname":"static.programme-tv.net","rrtype":"CNAME","ttl":630,"rdata":"programme-tv.net.edgesuite.net"}
{"type":"answer","id":25783,"rcode":"NOERROR","rrname":"programme-tv.net.edgesuite.net","rrtype":"CNAME","ttl":20432,"rdata":"a1859.g.akamai.net"}
{"type":"answer","id":25783,"rcode":"NOERROR","rrname":"g.akamai.net","rrtype":"SOA","ttl":1000}

Project

General

Profile

Suricata

Custom queries

Bug #856

FP on new Suricata git dns decoder

Updated by rmkml rmkml over 11 years ago

Updated by Victor Julien over 11 years ago

Updated by Peter Manev over 11 years ago

Updated by rmkml rmkml over 11 years ago

Updated by Victor Julien about 11 years ago

Updated by Andreas Herz about 8 years ago

Updated by Victor Julien over 7 years ago

Updated by Victor Julien about 7 years ago