Project

General

Profile

Actions

Bug #4758

open

dns: weird query should have app-layer-event?

Added by Victor Julien over 2 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Request    A &eventtype=close&reason=5&duration=5285

See attached pcap. Ran this against rules/dns-events.rules but it triggers nothing. Wondering if it should. Regular rule matches do work.

Files

dns-weird.pcap (139 Bytes) dns-weird.pcap Victor Julien, 10/16/2021 11:18 AM
Actions #1

Updated by Philippe Antoine 9 months ago

Why should it have an app-layer event ?
Because you use characters not allowed in domain names such as & ?
This looks more a case for a regular rule, does it not ?

Actions

Also available in: Atom PDF