Project

General

Profile

Actions
Copy link

Bug #1920

closed

Suricata in IPS mode seems to discard some DNS requests

Added by Filippo Carletti over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata IPS mode running on gateway which acts as DNS server seems to discard some requests on port 53/udp.
A good description of the same problem/symptoms could be found here:
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2016-January/005685.html

CentOS 7 (NethServer)
suricata-3.1.2-1.el7.x86_64
dnsmasq-2.66-14.el7_2.1.x86_64

I'm attaching to pcaps:
  • good.pcap for a working setup obtained with the following iptables rule in the INPUT chain:
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* dnsmasq */
  • fail.pcap for a failure scenario, where NFQBY is a --nfqueue 0 --bypass target (i.e. send to suricata)
    NFQBY      udp  --  0.0.0.0/0            0.0.0.0/0           [goto]  udp dpt:53 /* dnsmasq */

Files

Download all files
good.pcap (694 Bytes) good.pcap Filippo Carletti, 10/13/2016 04:07 AM
fail.pcap (1007 Bytes) fail.pcap Filippo Carletti, 10/13/2016 04:08 AM
suricata.yaml (59.7 KB) suricata.yaml Filippo Carletti, 10/14/2016 03:55 AM
Actions
Copy link

Also available in: Atom PDF