Project

General

Profile

Actions
Copy link

Bug #1920

closed

Suricata in IPS mode seems to discard some DNS requests

Added by Filippo Carletti over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata IPS mode running on gateway which acts as DNS server seems to discard some requests on port 53/udp.
A good description of the same problem/symptoms could be found here:
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2016-January/005685.html

CentOS 7 (NethServer)
suricata-3.1.2-1.el7.x86_64
dnsmasq-2.66-14.el7_2.1.x86_64

I'm attaching to pcaps:
  • good.pcap for a working setup obtained with the following iptables rule in the INPUT chain:
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* dnsmasq */
  • fail.pcap for a failure scenario, where NFQBY is a --nfqueue 0 --bypass target (i.e. send to suricata)
    NFQBY      udp  --  0.0.0.0/0            0.0.0.0/0           [goto]  udp dpt:53 /* dnsmasq */

Files

Download all files
good.pcap (694 Bytes) good.pcap Filippo Carletti, 10/13/2016 04:07 AM
fail.pcap (1007 Bytes) fail.pcap Filippo Carletti, 10/13/2016 04:08 AM
suricata.yaml (59.7 KB) suricata.yaml Filippo Carletti, 10/14/2016 03:55 AM
Actions
Copy link
 #1

Updated by Andreas Herz over 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

Where/How did you capture the .pcaps?
How do you run suricata and how did you configure it?
And what rules do you use and could you try it without rules so we can narrow it down if it's an rule issue?

Actions
Copy link
 #2

Updated by Filippo Carletti over 7 years ago

Where/How did you capture the .pcaps?

tcpdump -p -i enp0s8 -s 1500 -w pcap
on 192.168.56.44.

How do you run suricata and how did you configure it?

/sbin/suricata -c /etc/suricata/suricata.yaml -q 0 --user suricata
suricata.yaml attached.

And what rules do you use and could you try it without rules so we can narrow it down if it's an rule issue?

I had zero rules:

Oct 13 01:22:13 ns7b1 suricata: 13/10/2016 -- 01:22:13 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified,
 but no rule was loaded at all!

I can reproduce the problem on different systems. I can give you remote ssh access if you need it.

Actions
Copy link
 #3

Updated by Filippo Carletti over 7 years ago

I forgot to mention that the to trigger the problem I use a Fedora 24 client (192.168.56.1 in the pcap).
My Fedora do NOT have "option single-request" in resolv.conf.
A good descrption of the problem can be found here:
https://www.netroby.com/view/3695

Actions
Copy link
 #4

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from Anonymous to Jason Ish
  • Target version changed from TBD to 70

Possibly related to #1923

Actions
Copy link
 #5

Updated by Filippo Carletti over 7 years ago

Victor Julien wrote:

Possibly related to #1923

I think it's the same issue.
Suricata 3.1.3 solved the problem.
I propose marking duplicate and close.

Actions
Copy link
 #6

Updated by Jason Ish over 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.2

This is the same issue as #1923 which was fixed in 3.2rc1 and 3.1.3.

Actions
Copy link
 #7

Updated by Victor Julien over 7 years ago

  • Target version deleted (3.2)
Actions
Copy link

Also available in: Atom PDF