Project

General

Profile

Actions

Bug #5444

open

dns: allow dns messages with invalid opcodes

Added by Jason Ish 2 months ago. Updated 5 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Current a DNS message won't be detected as DNS if the opcode is considered invalid (greater than 7). We should probably accept any opcode, and then use rules to alert on invalid opcodes.

Research: Will this detect too much non DNS as DNS?


Files

opcode8.pcap (522 Bytes) opcode8.pcap Jason Taylor, 07/19/2022 07:44 PM

Subtasks 1 (1 open0 closed)

Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x)AssignedJason IshActions
Actions #1

Updated by Jason Taylor 2 months ago

just adding a sample udp dns query with opcode of 8 set. With the change discussed in this ticket, a signature such as 'alert dns any any -> any any (msg:"dns opcode 8"; dns.opcode:8; sid:123; rev:1;)' run against the attached pcap would alert.

Actions #2

Updated by Philippe Antoine 2 months ago

To be noted : now that https://github.com/OISF/suricata/pull/7320 got merged, if a client sends junk to a DNS server, suricata will recognize the protocol as DNS (with app_proto_tc: failed)

Actions #3

Updated by Victor Julien about 2 months ago

  • Priority changed from Normal to High
  • Label Needs backport to 6.0 added
Actions #4

Updated by Victor Julien about 2 months ago

@Philippe Antoine are you saying that in master this issue is resolved (by the PR you mentioned)?

Actions #5

Updated by Philippe Antoine about 2 months ago

That depends on how you define the issue.

If a DNS server uses invalid opcodes, as in the attached pcap, this issue is not resolved.

Actions #6

Updated by Victor Julien 5 days ago

  • Subtask #5550 added
Actions #7

Updated by Victor Julien 5 days ago

  • Label deleted (Needs backport to 6.0)
Actions

Also available in: Atom PDF