Project

General

Profile

Actions
Copy link

Bug #5444

closed
JI JI

dns: allow dns messages with invalid opcodes

Bug #5444: dns: allow dns messages with invalid opcodes

Added by Jason Ish over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
7.0.0-rc1
Affected Versions:
6.0.6
Effort:
Difficulty:
Label:

Description

Current a DNS message won't be detected as DNS if the opcode is considered invalid (greater than 7). We should probably accept any opcode, and then use rules to alert on invalid opcodes.

Research: Will this detect too much non DNS as DNS?

Files

opcode8.pcap (522 Bytes) opcode8.pcap Jason Taylor, 07/19/2022 07:44 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport)ClosedJeff LucovskyActions

JT Updated by Jason Taylor over 3 years ago Actions
Copy link
 #1

just adding a sample udp dns query with opcode of 8 set. With the change discussed in this ticket, a signature such as 'alert dns any any -> any any (msg:"dns opcode 8"; dns.opcode:8; sid:123; rev:1;)' run against the attached pcap would alert.

PA Updated by Philippe Antoine over 3 years ago Actions
Copy link
 #2

To be noted : now that https://github.com/OISF/suricata/pull/7320 got merged, if a client sends junk to a DNS server, suricata will recognize the protocol as DNS (with app_proto_tc: failed)

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #3

  • Priority changed from Normal to High
  • Label Needs backport to 6.0 added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #4

@Philippe Antoine are you saying that in master this issue is resolved (by the PR you mentioned)?

PA Updated by Philippe Antoine over 3 years ago Actions
Copy link
 #5

That depends on how you define the issue.

If a DNS server uses invalid opcodes, as in the attached pcap, this issue is not resolved.

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #6

  • Subtask #5550 added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #7

  • Label deleted (Needs backport to 6.0)

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #8

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1

JI Updated by Jason Ish over 3 years ago Actions
Copy link
 #9

  • Status changed from New to In Progress

JI Updated by Jason Ish over 3 years ago Actions
Copy link
 #10

  • Status changed from In Progress to In Review

PA Updated by Philippe Antoine about 3 years ago Actions
Copy link
 #11

This ticket looks strange to me... What is the use case ?

JI Updated by Jason Ish about 3 years ago Actions
Copy link
 #12

Detect DNS with invalid opcodes. Currently if a DNS message has a bad opcode we don't detect it as DNS, even if it is.. Perhaps some DNS trickery.. We go blind to it. Bettern to parse it as DNS and provide the ability to detect invalid opcodes.

JI Updated by Jason Ish about 3 years ago Actions
Copy link
 #13

  • Status changed from In Review to Resolved

Merged into master.

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
 #14

  • Subtask deleted (#5550)

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
 #15

  • Status changed from Resolved to Closed

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #16

  • Related to Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport) added
Actions
Copy link

Also available in: PDF Atom