Project

General

Profile

Actions

Bug #2435

closed

Suricata 4.0.3 in IPS mode seems to discard some DNS requests

Added by Dan Rimal almost 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata 4.0.3 on Centos 7.2 and kernel 4.4.29 (COS7 elrepo LT) have the very same problem like this closed bugs:

https://redmine.openinfosecfoundation.org/issues/1920
https://redmine.openinfosecfoundation.org/issues/1923

SSH client send A and AAAA request, but inline IPS Suricata via NFQ drops AAAA query pointing to the DNS sitting in another vlan than client. Tcpdump show client's incoming query, but not outgoing query toward DNS server.

Suricata has no rules loaded.

This issue slow down ssh login to remote servers and it is very easy to reproduce (occur everytime).

Attached files:
dnsq-from-vlan12 (client vlan)
dnsq-from-vlan10 (server vlan)


Files

dnsq-from-vlan10 (1.51 KB) dnsq-from-vlan10 Dan Rimal, 02/05/2018 10:14 AM
dnsq-from-vlan12 (1.98 KB) dnsq-from-vlan12 Dan Rimal, 02/05/2018 10:14 AM
suricata.yaml (66.4 KB) suricata.yaml Dan Rimal, 02/05/2018 10:15 AM
suricata.yaml (66.4 KB) suricata.yaml Dan Rimal, 02/13/2018 06:16 AM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #2806: Parallel DNS queries dropped when using same socketClosedActions
Actions

Also available in: Atom PDF