Bug #4759
closedTCP DNS query not found when tls filter is active
Description
When using a TLS rule the DNS query rule is no longer reported.
Using the following ruleset:
alert tls any any -> any any (msg:"SSL Fingerprint"; sid:1; rev:1;) alert dns any any -> any any (msg:".com in DNS query"; dns.query; content:".com"; sid:2; rev:1;)
The DNS query in the attached tcpdns.pcap is not reported to the eve.log.
If the rule with the sid 1 is commented out the DNS query rule is reported in the eve.log as
{"timestamp":"2013-11-26T16:07:58.893881+0000","flow_id":1541398387924126,"pcap_cnt":7,"event_type":"alert","src_ip":"10.180.156.141","src_port":49342,"dest_ip":"10.2.95.39","dest_port":53,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":1,"signature":".com in DNS query","category":"","severity":3},"dns":{"query":[{"type":"query","id":24163,"rrname":"google.com","rrtype":"A","tx_id":0}]},"app_proto":"dns","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":306,"bytes_toclient":548,"start":"2013-11-26T16:07:58.892062+0000"}}
The expected behavior is that the DNS query should also be reported when the TSL rule is active.
The problem was found in suricata 6.0.1 on debian bullseye. It could also reproduced with the suricata self compiled from master-6.0.x branch.
The problem did not exist in suricata 4.1.2.
Files
Updated by Philippe Antoine over 2 years ago
- Assignee set to Jason Ish
Problem with unidirectional transactions cleaning as introduced by commit 60ebc27c4eb755800e6d3f4ec1a5d55a5230a214
AppLayerParserTransactionsCleanup
may clean up unidirectional transactions that have been inspected in one direction, just not the relevant one. like detection has been run toclient for a dns query...
Updated by Jason Ish almost 2 years ago
- Related to Bug #5799: detect: sigs using DETECT_SM_LIST_PMATCH can break other signatures added
Updated by Jason Ish almost 2 years ago
- Status changed from New to In Progress
Updated by Jason Ish over 1 year ago
- Status changed from In Progress to Closed
- Target version set to 7.0.0-rc2
Updated by Jason Ish over 1 year ago
- Copied to Bug #6037: TCP DNS query not found when tls filter is active (6.0.x backport) added
Updated by Jason Ish over 1 year ago
- Related to Feature #1983: tls: events are directionless and trigger twice per flow direction added