Project

General

Profile

Actions

Bug #4759

closed

TCP DNS query not found when tls filter is active

Added by Thorsten Zachmann about 3 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 6.0

Description

When using a TLS rule the DNS query rule is no longer reported.

Using the following ruleset:

alert tls any any -> any any (msg:"SSL Fingerprint"; sid:1; rev:1;)
alert dns any any -> any any (msg:".com in DNS query"; dns.query; content:".com"; sid:2; rev:1;)

The DNS query in the attached tcpdns.pcap is not reported to the eve.log.

If the rule with the sid 1 is commented out the DNS query rule is reported in the eve.log as

{"timestamp":"2013-11-26T16:07:58.893881+0000","flow_id":1541398387924126,"pcap_cnt":7,"event_type":"alert","src_ip":"10.180.156.141","src_port":49342,"dest_ip":"10.2.95.39","dest_port":53,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":1,"signature":".com in DNS query","category":"","severity":3},"dns":{"query":[{"type":"query","id":24163,"rrname":"google.com","rrtype":"A","tx_id":0}]},"app_proto":"dns","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":306,"bytes_toclient":548,"start":"2013-11-26T16:07:58.892062+0000"}}

The expected behavior is that the DNS query should also be reported when the TSL rule is active.

The problem was found in suricata 6.0.1 on debian bullseye. It could also reproduced with the suricata self compiled from master-6.0.x branch.

The problem did not exist in suricata 4.1.2.


Files

tcpdns.pcap (2.31 KB) tcpdns.pcap Pcap contining tcp dns query of google.com Thorsten Zachmann, 10/18/2021 03:35 AM
test.rule (165 Bytes) test.rule Rules used Thorsten Zachmann, 10/18/2021 03:36 AM
suricata.info (3.9 KB) suricata.info Thorsten Zachmann, 10/18/2021 03:52 AM

Subtasks 1 (0 open1 closed)

Bug #6037: TCP DNS query not found when tls filter is active (6.0.x backport)ClosedJason IshActions

Related issues 2 (1 open1 closed)

Related to Suricata - Bug #5799: detect: sigs using DETECT_SM_LIST_PMATCH can break other signaturesClosedOISF DevActions
Related to Suricata - Feature #1983: tls: events are directionless and trigger twice per flow directionAssignedOISF DevActions
Actions #1

Updated by Philippe Antoine over 2 years ago

  • Assignee set to Jason Ish

Problem with unidirectional transactions cleaning as introduced by commit 60ebc27c4eb755800e6d3f4ec1a5d55a5230a214

AppLayerParserTransactionsCleanup may clean up unidirectional transactions that have been inspected in one direction, just not the relevant one. like detection has been run toclient for a dns query...

cf https://github.com/OISF/suricata/pull/7693

Actions #2

Updated by Jason Ish almost 2 years ago

  • Related to Bug #5799: detect: sigs using DETECT_SM_LIST_PMATCH can break other signatures added
Actions #3

Updated by Jason Ish almost 2 years ago

  • Status changed from New to In Progress
Actions #4

Updated by Jason Ish over 1 year ago

  • Status changed from In Progress to Closed
  • Target version set to 7.0.0-rc2
Actions #5

Updated by Jason Ish over 1 year ago

  • Label Needs backport to 6.0 added
Actions #6

Updated by Jason Ish over 1 year ago

  • Copied to Bug #6037: TCP DNS query not found when tls filter is active (6.0.x backport) added
Actions #7

Updated by Jason Ish over 1 year ago

  • Subtask #6037 added
Actions #8

Updated by Jason Ish over 1 year ago

  • Related to Feature #1983: tls: events are directionless and trigger twice per flow direction added
Actions

Also available in: Atom PDF