Project

General

Profile

Actions

Bug #2263

closed

content matches disregarded when using dns_query on udp traffic

Added by Travis Green over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using Suricata-4.0.x, content matches before dns_query; sticky buffer are disregarded

  • FP:
    alert dns $HOME_NET any -> any any (msg:"test (fp)"; content:"|01|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|"; distance:1; within:1; content:"|06|"; distance:16; within:1; content:"|03|top|00|"; distance:6; within:5; dns_query; content:".top"; classtype:trojan-activity; sid:1; rev:1;)
  • no FP:
    alert dns $HOME_NET any -> any any (msg:"test (no fp)"; content:"|01|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|"; distance:1; within:1; content:"|06|"; distance:16; within:1; content:"|03|top|00|"; distance:6; within:5; classtype:trojan-activity; sid:2; rev:1;)

Previous versions unaffected


Files

merged.pcap (8.68 KB) merged.pcap test pcap Travis Green, 11/07/2017 12:14 PM
suri_dns_bug_info.md (5.1 KB) suri_dns_bug_info.md Travis Green, 11/07/2017 12:15 PM
Actions

Also available in: Atom PDF