Actions
Bug #4759
closedTCP DNS query not found when tls filter is active
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 6.0
Description
When using a TLS rule the DNS query rule is no longer reported.
Using the following ruleset:
alert tls any any -> any any (msg:"SSL Fingerprint"; sid:1; rev:1;) alert dns any any -> any any (msg:".com in DNS query"; dns.query; content:".com"; sid:2; rev:1;)
The DNS query in the attached tcpdns.pcap is not reported to the eve.log.
If the rule with the sid 1 is commented out the DNS query rule is reported in the eve.log as
{"timestamp":"2013-11-26T16:07:58.893881+0000","flow_id":1541398387924126,"pcap_cnt":7,"event_type":"alert","src_ip":"10.180.156.141","src_port":49342,"dest_ip":"10.2.95.39","dest_port":53,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":1,"signature":".com in DNS query","category":"","severity":3},"dns":{"query":[{"type":"query","id":24163,"rrname":"google.com","rrtype":"A","tx_id":0}]},"app_proto":"dns","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":306,"bytes_toclient":548,"start":"2013-11-26T16:07:58.892062+0000"}}
The expected behavior is that the DNS query should also be reported when the TSL rule is active.
The problem was found in suricata 6.0.1 on debian bullseye. It could also reproduced with the suricata self compiled from master-6.0.x branch.
The problem did not exist in suricata 4.1.2.
Files
Actions