Project

General

Profile

Actions

Feature #4758

open

dns: weird query should have app-layer-event?

Added by Victor Julien about 3 years ago. Updated 5 months ago.

Status:
Feedback
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Request    A &eventtype=close&reason=5&duration=5285

See attached pcap. Ran this against rules/dns-events.rules but it triggers nothing. Wondering if it should. Regular rule matches do work.

Files

dns-weird.pcap (139 Bytes) dns-weird.pcap Victor Julien, 10/16/2021 11:18 AM
Actions #1

Updated by Philippe Antoine over 1 year ago

Why should it have an app-layer event ?
Because you use characters not allowed in domain names such as & ?
This looks more a case for a regular rule, does it not ?

Actions #2

Updated by Philippe Antoine 5 months ago

  • Tracker changed from Bug to Feature
  • Target version set to TBD
Actions #3

Updated by Philippe Antoine 5 months ago

  • Status changed from New to Feedback
  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF