Project

General

Profile

Actions

Bug #1924

closed

Windows dynamic DNS updates trigger 'DNS malformed request data' alerts

Added by Orion Poplawski over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Windows dynamic DNS updates trigger 'DNS malformed request data' alerts. This is because the AD server is returning a response with:

Type: AAAA
Class: ANY (0x00ff)
Time to live: 0 seconds
Data length: 0

Presumably this is because with have IPv6 disabled on our network.

It also has an entry with:

Type: A
Class: ANY (0x00ff)
Time to live: 0 seconds
Data length: 0

and then finally the normal:

Type: A 
Class: IN (0x0001)
Time to live: 20 minutes
Data length: 4

But in src/app-layer-dns-common.c:

        case DNS_RECORD_TYPE_A:
        {
            if (ntohs(head->len) == 4) {
                //PrintRawDataFp(stdout, data, ntohs(head->len));
                //char a[16];
                //PrintInet(AF_INET, (const void *)data, a, sizeof(a));
                //SCLogInfo("A %s TTL %u", a, ntohl(head->ttl));

                DNSStoreAnswerInState(dns_state, list, fqdn, fqdn_len,
                        ntohs(head->type), ntohs(head->class), ntohl(head->ttl),
                        data, 4, ntohs(dns_header->tx_id));
            } else {
                SCLogDebug("invalid length for A response data: %u", ntohs(head->len));
                goto bad_data;
            }

            data += ntohs(head->len);
            break;
        }
        case DNS_RECORD_TYPE_AAAA:
        {
            if (ntohs(head->len) == 16) {
                //char a[46];
                //PrintInet(AF_INET6, (const void *)data, a, sizeof(a));
                //SCLogInfo("AAAA %s TTL %u", a, ntohl(head->ttl));

                DNSStoreAnswerInState(dns_state, list, fqdn, fqdn_len,
                        ntohs(head->type), ntohs(head->class), ntohl(head->ttl),
                        data, 16, ntohs(dns_header->tx_id));
            } else {
                SCLogDebug("invalid length for AAAA response data: %u", ntohs(head->len));
                goto bad_data;
            }

So if len 0 we return invalid length. Perhaps we need a special case for class ANY or len == 0?


Files

dnsadupdate_anon.pcapng (456 Bytes) dnsadupdate_anon.pcapng dns dynamic update Orion Poplawski, 10/18/2016 12:08 PM
Actions #1

Updated by Victor Julien over 7 years ago

Could you attach a pcap of this traffic?

Actions #2

Updated by Orion Poplawski over 7 years ago

Here's a snippet. Also confusing is that the alert refers to "request data", but the issue is with "response data".

Actions #3

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 70
Actions #4

Updated by Jason Ish over 7 years ago

  • Target version changed from 70 to 3.2
Actions #5

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF