Project

General

Profile

Actions
Copy link

Bug #2805

closed

dns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules) (4.1.x)

Added by Victor Julien almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.1.3
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using the following rule:

alert dns any any -> any any (msg:"SURICATA DNS query .com"; dns_query; content:".com"; isdataat:!1,relative; sid:1000000; rev:1;)

with Suricata - This is Suricata version 4.1.0-dev (rev b51e4a39)
With Rust enabled using DNS v1 and/or v2 in eve-log I get no dns app layer data in the alert record.

{
  "timestamp": "2019-01-07T16:42:19.830185+0100",
  "flow_id": 208638561725161,
  "pcap_cnt": 1,
  "event_type": "alert",
  "src_ip": "x.x.x.x",
  "src_port": 23509,
  "dest_ip": "y.y.y.y",
  "dest_port": 53,
  "proto": "UDP",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1000000,
    "rev": 1,
    "signature": "SURICATA DNS query .com",
    "category": "",
    "severity": 3
  },
  "app_proto": "dns",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 81,
    "bytes_toclient": 0,
    "start": "2019-01-07T16:42:19.830185+0100" 
  },
  "payload_printable": ".............prg\rsmartadserver.com.....",
  "stream": 0,
  "packet": "AB5zmNOKAB5zmsMACABFAABDrmJAADsRoNW+c7f7ugHAAVvVADUALyazBrwBAAABAAAAAAAAA3ByZw1zbWFydGFkc2VydmVyA2NvbQAAAQAB",
  "packet_info": {
    "linktype": 1
  }
}

But without rust (--disbale-rust)
So using DNS v1 i get the data in the record:


{
  "timestamp": "2019-01-07T16:42:19.830185+0100",
  "flow_id": 382561114893033,
  "pcap_cnt": 1,
  "event_type": "alert",
  "src_ip": "x.x.x.x",
  "src_port": 23509,
  "dest_ip": "y.y.y.y",
  "dest_port": 53,
  "proto": "UDP",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1000000,
    "rev": 1,
    "signature": "SURICATA DNS query .com",
    "category": "",
    "severity": 3
  },
  "dns": {
    "query": [
      {
        "type": "query",
        "id": 1724,
        "rrname": "prg.smartadserver.com",
        "rrtype": "A",
        "tx_id": 0
      }
    ]
  },
  "app_proto": "dns",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 81,
    "bytes_toclient": 0,
    "start": "2019-01-07T16:42:19.830185+0100" 
  },
  "payload_printable": ".............prg\rsmartadserver.com.....",
  "stream": 0,
  "packet": "AB5zmNOKAB5zmsMACABFAABDrmJAADsRoNW+c7f7ugHAAVvVADUALyazBrwBAAABAAAAAAAAA3ByZw1zbWFydGFkc2VydmVyA2NvbQAAAQAB",
  "packet_info": {
    "linktype": 1
  }
}

I can reproduce it repetitively -
If using alert on dns v1 or v2 with rust - we never have the app layer dns data ...but with rust disabled and dns set to v1 we always have dns app layer data (similar to below)

...
...
  "dns": {
    "query": [
      {
        "type": "query",
        "id": 1724,
        "rrname": "prg.smartadserver.com",
        "rrtype": "A",
        "tx_id": 0
      }
    ]
  },
  "app_proto": "dns",
...
...

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #2775: dns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules)ClosedJason IshActions
Actions
Copy link
 #1

Updated by Victor Julien almost 6 years ago

  • Copied from Bug #2775: dns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules) added
Actions
Copy link
 #2

Updated by Victor Julien almost 6 years ago

  • Status changed from New to Assigned
  • Assignee changed from Jason Ish to Victor Julien

Cherry-picking from master.

Actions
Copy link
 #3

Updated by Victor Julien almost 6 years ago

  • Status changed from Assigned to Closed
Actions
Copy link

Also available in: Atom PDF