Project

General

Profile

Actions
Copy link

Feature #1265

closed

Replace response on Suricata dns decoder when dns error please

Added by rmkml rmkml over 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
David Cannings
Target version:
3.0RC1
Effort:
Difficulty:
Label:

Description

Hello,

When I start this test: (only for example)
perl -e 'print "\x00\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x04test\x03com\x00\x00\x01\x00\x02"'|nc -vnu 8.8.8.8 53

tshark output:
1 17:27:37.939800 192.168.42.150 -> 8.8.8.8 DNS 68 Standard query 0x0000 A test.com
2 17:27:38.033266 8.8.8.8 -> 192.168.42.150 DNS 68 Standard query response 0x0000 Server failure

But Suricata v2.1beta1 "wrong" Response output:
08/19/2014-17:27:37.939800 [**] Query TX 0000 [**] test.com [**] A [**] 192.168.42.150:34092 -> 8.8.8.8:53
08/19/2014-17:27:37.939800 [**] Response TX 0000 [**] No Such Name [**] 8.8.8.8:53 -> 192.168.42.150:34092
08/19/2014-17:27:37.939800 [**] Response TX 0000 [**] No Such Name [**] 8.8.8.8:53 -> 192.168.42.150:34092

Could you check why "No Such Name" appear here please ?
Because it's a dns response Server failure.
Found another example with dns response Format error.

Joigned pcap.
Regards
@rmkml rmkml

Files

exemple_dns_serverfailure.pcap (192 Bytes) exemple_dns_serverfailure.pcap rmkml rmkml, 08/19/2014 10:39 AM
Actions
Copy link

Also available in: Atom PDF