Actions
Bug #2805
closeddns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules) (4.1.x)
Affected Versions:
Effort:
Difficulty:
Label:
Description
Using the following rule:
alert dns any any -> any any (msg:"SURICATA DNS query .com"; dns_query; content:".com"; isdataat:!1,relative; sid:1000000; rev:1;)
with Suricata - This is Suricata version 4.1.0-dev (rev b51e4a39)
With Rust enabled using DNS v1 and/or v2 in eve-log I get no dns app layer data in the alert record.
{ "timestamp": "2019-01-07T16:42:19.830185+0100", "flow_id": 208638561725161, "pcap_cnt": 1, "event_type": "alert", "src_ip": "x.x.x.x", "src_port": 23509, "dest_ip": "y.y.y.y", "dest_port": 53, "proto": "UDP", "tx_id": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1000000, "rev": 1, "signature": "SURICATA DNS query .com", "category": "", "severity": 3 }, "app_proto": "dns", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 81, "bytes_toclient": 0, "start": "2019-01-07T16:42:19.830185+0100" }, "payload_printable": ".............prg\rsmartadserver.com.....", "stream": 0, "packet": "AB5zmNOKAB5zmsMACABFAABDrmJAADsRoNW+c7f7ugHAAVvVADUALyazBrwBAAABAAAAAAAAA3ByZw1zbWFydGFkc2VydmVyA2NvbQAAAQAB", "packet_info": { "linktype": 1 } }
But without rust (--disbale-rust)
So using DNS v1 i get the data in the record:
{ "timestamp": "2019-01-07T16:42:19.830185+0100", "flow_id": 382561114893033, "pcap_cnt": 1, "event_type": "alert", "src_ip": "x.x.x.x", "src_port": 23509, "dest_ip": "y.y.y.y", "dest_port": 53, "proto": "UDP", "tx_id": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1000000, "rev": 1, "signature": "SURICATA DNS query .com", "category": "", "severity": 3 }, "dns": { "query": [ { "type": "query", "id": 1724, "rrname": "prg.smartadserver.com", "rrtype": "A", "tx_id": 0 } ] }, "app_proto": "dns", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 81, "bytes_toclient": 0, "start": "2019-01-07T16:42:19.830185+0100" }, "payload_printable": ".............prg\rsmartadserver.com.....", "stream": 0, "packet": "AB5zmNOKAB5zmsMACABFAABDrmJAADsRoNW+c7f7ugHAAVvVADUALyazBrwBAAABAAAAAAAAA3ByZw1zbWFydGFkc2VydmVyA2NvbQAAAQAB", "packet_info": { "linktype": 1 } }
I can reproduce it repetitively -
If using alert on dns v1 or v2 with rust - we never have the app layer dns data ...but with rust disabled and dns set to v1 we always have dns app layer data (similar to below)
... ... "dns": { "query": [ { "type": "query", "id": 1724, "rrname": "prg.smartadserver.com", "rrtype": "A", "tx_id": 0 } ] }, "app_proto": "dns", ... ...
Actions