Project

General

Profile

Actions
Copy link

Feature #1265

closed

Replace response on Suricata dns decoder when dns error please

Added by rmkml rmkml over 9 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
David Cannings
Target version:
3.0RC1
Effort:
Difficulty:
Label:

Description

Hello,

When I start this test: (only for example)
perl -e 'print "\x00\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x04test\x03com\x00\x00\x01\x00\x02"'|nc -vnu 8.8.8.8 53

tshark output:
1 17:27:37.939800 192.168.42.150 -> 8.8.8.8 DNS 68 Standard query 0x0000 A test.com
2 17:27:38.033266 8.8.8.8 -> 192.168.42.150 DNS 68 Standard query response 0x0000 Server failure

But Suricata v2.1beta1 "wrong" Response output:
08/19/2014-17:27:37.939800 [**] Query TX 0000 [**] test.com [**] A [**] 192.168.42.150:34092 -> 8.8.8.8:53
08/19/2014-17:27:37.939800 [**] Response TX 0000 [**] No Such Name [**] 8.8.8.8:53 -> 192.168.42.150:34092
08/19/2014-17:27:37.939800 [**] Response TX 0000 [**] No Such Name [**] 8.8.8.8:53 -> 192.168.42.150:34092

Could you check why "No Such Name" appear here please ?
Because it's a dns response Server failure.
Found another example with dns response Format error.

Joigned pcap.
Regards
@rmkml rmkml

Files

exemple_dns_serverfailure.pcap (192 Bytes) exemple_dns_serverfailure.pcap rmkml rmkml, 08/19/2014 10:39 AM
Actions
Copy link
 #1

Updated by David Cannings almost 9 years ago

  • Status changed from New to Resolved
  • Target version set to 3.0RC1
  • % Done changed from 0 to 100

This was fixed in the following PR: https://github.com/inliniac/suricata/pull/1425 which is included in 2.1beta4.

Using your test pcap I see:

08/19/2014-16:27:37.939800 [**] Query TX 0000 [**] test.com [**] A [**] 192.168.42.150:34092 -> 8.8.8.8:53
08/19/2014-16:27:37.939800 [**] Response TX 0000 [**] SERVFAIL [**] 8.8.8.8:53 -> 192.168.42.150:34092
08/19/2014-16:27:37.939800 [**] Response TX 0000 [**] SERVFAIL [**] 8.8.8.8:53 -> 192.168.42.150:34092

And in EVE:

{"timestamp":"2014-08-19T16:27:37.939800+0100","flow_id":21513872,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.42.150","src_port":34092,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"test.com","rrtype":"A","tx_id":0}}
{"timestamp":"2014-08-19T16:27:37.939800+0100","flow_id":21513872,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.42.150","src_port":34092,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"SERVFAIL","rrname":"test.com"}}
Actions
Copy link
 #2

Updated by David Cannings almost 9 years ago

  • Assignee set to David Cannings
Actions
Copy link
 #3

Updated by Victor Julien almost 9 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF