Actions
Bug #4178
openDNS Query triggers alert but no output in alert-debug.log
Description
If you run this rule:
alert dns $HOME_NET any -> any any (msg:"BAR"; dns.query; content:"suricata-ids.org"; sid:1337; rev:1;)
against the attached pcap or do the lookup `dig -t A suricata-ids.org` and listen on the interface you will trigger the correct alert but won't see any alert-debug.log output.
Files
Updated by Andreas Herz over 3 years ago
+================ TIME: 11/23/2020-22:52:41.140580 PKT SRC: wire/pcap SRC IP: 10.23.0.135 DST IP: 8.8.8.8 PROTO: 17 SRC PORT: 37906 DST PORT: 53 FLOW: to_server: TRUE, to_client: FALSE FLOW Start TS: 11/23/2020-22:52:41.140580 FLOW PKTS TODST: 1 FLOW PKTS TOSRC: 0 FLOW Total Bytes: 99 FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: FALSE FLOW ACTION: DROP: FALSE FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE FLOW APP_LAYER: DETECTED: TRUE, PROTO 11 PACKET LEN: 99 PACKET: 0000 F4 90 EA 00 25 CE 00 1B 21 22 46 10 08 00 45 00 ....%... !"F...E. 0010 00 55 B2 D3 00 00 40 11 AD 17 0A 17 00 87 08 08 .U....@. ........ 0020 08 08 94 12 00 35 00 41 1B 00 1F 67 01 20 00 01 .....5.A ...g. .. 0030 00 00 00 00 00 01 0C 73 75 72 69 63 61 74 61 2D .......s uricata- 0040 69 64 73 03 6F 72 67 00 00 01 00 01 00 00 29 10 ids.org. ......). 0050 00 00 00 00 00 00 0C 00 0A 00 08 20 E8 33 93 11 ........ ... .3.. 0060 76 FD BA v.. ALERT CNT: 1 ALERT MSG [00]: BAR ALERT GID [00]: 1 ALERT SID [00]: 1337 ALERT REV [00]: 1 ALERT CLASS [00]: <none> ALERT PRIO [00]: 3 ALERT FOUND IN [00]: PACKET ALERT IN TX [00]: N/A PAYLOAD LEN: 57 PAYLOAD: 0000 1F 67 01 20 00 01 00 00 00 00 00 01 0C 73 75 72 .g. .... .....sur 0010 69 63 61 74 61 2D 69 64 73 03 6F 72 67 00 00 01 icata-id s.org... 0020 00 01 00 00 29 10 00 00 00 00 00 00 0C 00 0A 00 ....)... ........ 0030 08 20 E8 33 93 11 76 FD BA . .3..v. .
If you enforce it live with a rule like
alert ip $HOME_NET any -> any any (msg:"BAR"; content:"suricata-ids"; sid:1337; rev:1;)
Actions