Suricata

Sorry for being late!

Andreas Herz wrote:

How do you run Suricata?

Nothing fancy really, the installation is acting as a router (iptables w/ nat & ip_forward) for a "small" private network.

Suricata installed from epel, running on the local facing interface:

pcap:
  - interface: eth1

ethtool -K eth1 sg off gro off lro off tso off gso off

ethtool -K eth1 rx off tx off gro off

I am also running unbound as a reverse DNS proxy for the local network on this box, binding to eth1.

The alerts logged are:

{"timestamp":"2016-08-16T18:58:55.285853+0200","flow_id":4250627771,"in_iface":"eth1","event_type":"alert","src_ip":"x.x.x.x","src_port":53,"dest_ip":"x.x.x.x","dest_port":42924,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2240002,"rev":1,"signature":"SURICATA DNS malformed request data","category":"","severity":3}}

dest_ip is pretty much every active client on the network including Desktops, Smartphones and Tablets ranging from Windows over Linux/Android to OSX/iOS

The src_ip is listed under DNS_SERVERS in

vars:
  address-groups:

For the time being i disabled the two noisy messages

suppress gen_id 1, sig_id 2240002
suppress gen_id 1, sig_id 2200037

Victor Julien wrote:

I can confirm the TCP issue. Will work on a fix. Haven't investigated the DNS one yet.

Update on the DNS issue since i had some spare time.

It does look like rDNS requests (e.g. nslookup 10.0.0.1) are triggering the alerts.
I am able to reproduce this reliable from any random client on the network.

Dunno why Suricata thinks this is "malformed request data" especially since nsd (running behind unbound) has a reverse lookup zone (in-addr.arpa) configured and is responding to all rDNS requests with the expected answer.

Can you share a small pcap of the DNS traffic triggering the rule?