https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022015-03-19T12:15:58ZOpen Information Security FoundationSuricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=49992015-03-19T12:15:58ZAntti Tönkyrädaedalus@pingtimeout.net
<ul></ul><p>Note that normal suricata eve-log input is encapsulated in data key in my example out.</p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=50002015-03-19T12:18:03ZAntti Tönkyrädaedalus@pingtimeout.net
<ul></ul><p>And version info:<br /> 2.1dev (rev e250040)</p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=50012015-03-19T12:26:50ZAntti Tönkyrädaedalus@pingtimeout.net
<ul></ul><p>Also happens with 60a4965</p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=52622015-05-21T04:47:26ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>David Cannings</i></li><li><strong>Target version</strong> set to <i>3.0RC1</i></li></ul> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=52672015-05-21T05:59:38ZDavid Canningsdavid@edeca.net
<ul></ul><p>Confirmed in both live and pcap mode. Packet captures were taken from the same physical interface but not at the same time.</p>
<p>From the same pcap, here's two example sessions (one with vlan tags, one without):</p>
<pre>
{"timestamp":"2015-05-21T11:30:00.962978+0100","flow_id":22189344,"pcap_cnt":6031,"event_type":"dns","src_ip":"10.X.X.X","src_port":65077,"dest_ip":"10.Y.Y.Y","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":7442,"rcode":"NXDOMAIN","rrname":"u.03.s.sophosxl.net","rrtype":"SOA","ttl":9}}
{"timestamp":"2015-05-21T11:30:01.467133+0100","flow_id":22312464,"pcap_cnt":6078,"event_type":"dns","vlan":1,"src_ip":"10.X.X.X","src_port":50545,"dest_ip":"10.Y.Y.Y","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":53770,"rcode":"NOERROR","rrname":"iplayerhelp.external.bbc.co.uk","rrtype":"CNAME","ttl":1797,"rdata":"bbciplayer.metafaq.com"}}
</pre>
<p>From live capture:</p>
<pre>
{"timestamp":"2015-05-21T10:17:27.866919","flow_id":140034661246416,"in_iface":"eth2","event_type":"dns","vlan":1,"src_ip":"10.X.X.X","src_port":41341,"dest_ip":"10.Y.Y.Y","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":20985}}
{"timestamp":"2015-05-21T10:17:27.867699","flow_id":140034661247088,"in_iface":"eth2","event_type":"dns","src_ip":"10.X.X.X","src_port":39122,"dest_ip":"10.Z.Z.Z","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":20985}}
</pre>
<p>Note that there are also correct log entries, for example:</p>
<pre>
{"timestamp":"2015-05-21T10:15:18.195891","flow_id":140034664754368,"in_iface":"eth2","event_type":"dns","vlan":1,"src_ip":"10.X.X.X","src_port":53,"dest_ip":"10.Y.Y.Y","dest_port":50494,"proto":"UDP","dns":{"type":"answer","id":61479,"rrname":"internalnameredacted.local","rrtype":"A","ttl":0,"rdata":"10.Z.Z.Z"}}
</pre>
<p>The incorrect log entries greatly outnumber the correct ones in pcap mode. My sample is small and not statistically significant. The below is from a 1.2MB pcap:</p>
<pre>
-> % jq -c 'select(.dns.type=="answer") | select(.src_port==53)' eve.json | wc -l
3 # correct
-> % jq -c 'select(.dns.type=="answer") | select(.dest_port==53)' eve.json | wc -l
9897 # incorrect
</pre>
<p>And from the live capture:</p>
<pre>
-> % jq -c 'select(.dns.type=="answer") | select(.src_port==53)' dns.log | wc -l
4149 # correct
-> % jq -c 'select(.dns.type=="answer") | select(.dest_port==53)' dns.log | wc -l
1164 # incorrect
</pre>
<p>Live capture used 2.1beta2, pcap used 2.1dev (rev 0e2a4c0).</p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=56822015-11-24T08:45:30ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>3.0RC1</i> to <i>70</i></li></ul> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=76372016-11-22T13:05:24ZJason Ishjason.ish@oisf.net
<ul></ul><p>I propose we close this. I confirmed that I could replicate it with rev 0e2a4c0, but I am not able to replicate with 3.2RC1.</p>
<p>Appears it was fixed by this commit 133485937952d8ed106eae840f517edf53024e19 (though I'm not sure why...)</p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=76402016-11-23T08:16:24ZVictor Julienvictor@inliniac.net
<ul></ul><p>That commit shouldn't affect it, how did you determine that?</p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=76432016-11-23T08:34:28ZJason Ishjason.ish@oisf.net
<ul></ul><p>You're right. I limited my back testing to commits on the <strong>dns</strong> files, it could have been in another commit leading up to that one. I'll re-check.</p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=76442016-11-23T08:36:04ZVictor Julienvictor@inliniac.net
<ul></ul><p>Maybe a git bisect could be useful. It can be automated if you have a test case that returns good/bad.</p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=76472016-11-23T10:21:18ZJason Ishjason.ish@oisf.net
<ul></ul><p>This is the commit: <a class="external" href="https://redmine.openinfosecfoundation.org/projects/suricata/repository?utf8=%E2%9C%93&branch=master&tag=&rev=2f0e0f17dbb4f289f045ab38cf13dc2ef209a148">https://redmine.openinfosecfoundation.org/projects/suricata/repository?utf8=%E2%9C%93&branch=master&tag=&rev=2f0e0f17dbb4f289f045ab38cf13dc2ef209a148</a></p> Suricata - Bug #1424: DNS EVE-log produces answers with incorrect directionhttps://redmine.openinfosecfoundation.org/issues/1424?journal_id=76592016-11-24T07:47:13ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>Assignee</strong> changed from <i>David Cannings</i> to <i>Victor Julien</i></li><li><strong>Target version</strong> deleted (<del><i>70</i></del>)</li></ul><p>Guess I fixed it then ;)</p>