Project

General

Profile

Actions

Bug #5444

closed

dns: allow dns messages with invalid opcodes

Added by Jason Ish over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Current a DNS message won't be detected as DNS if the opcode is considered invalid (greater than 7). We should probably accept any opcode, and then use rules to alert on invalid opcodes.

Research: Will this detect too much non DNS as DNS?


Files

opcode8.pcap (522 Bytes) opcode8.pcap Jason Taylor, 07/19/2022 07:44 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport)ClosedJeff LucovskyActions
Actions #1

Updated by Jason Taylor over 2 years ago

just adding a sample udp dns query with opcode of 8 set. With the change discussed in this ticket, a signature such as 'alert dns any any -> any any (msg:"dns opcode 8"; dns.opcode:8; sid:123; rev:1;)' run against the attached pcap would alert.

Actions #2

Updated by Philippe Antoine over 2 years ago

To be noted : now that https://github.com/OISF/suricata/pull/7320 got merged, if a client sends junk to a DNS server, suricata will recognize the protocol as DNS (with app_proto_tc: failed)

Actions #3

Updated by Victor Julien over 2 years ago

  • Priority changed from Normal to High
  • Label Needs backport to 6.0 added
Actions #4

Updated by Victor Julien over 2 years ago

@Philippe Antoine are you saying that in master this issue is resolved (by the PR you mentioned)?

Actions #5

Updated by Philippe Antoine over 2 years ago

That depends on how you define the issue.

If a DNS server uses invalid opcodes, as in the attached pcap, this issue is not resolved.

Actions #6

Updated by Victor Julien about 2 years ago

  • Subtask #5550 added
Actions #7

Updated by Victor Julien about 2 years ago

  • Label deleted (Needs backport to 6.0)
Actions #8

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #9

Updated by Jason Ish almost 2 years ago

  • Status changed from New to In Progress
Actions #10

Updated by Jason Ish almost 2 years ago

  • Status changed from In Progress to In Review
Actions #11

Updated by Philippe Antoine almost 2 years ago

This ticket looks strange to me... What is the use case ?

Actions #12

Updated by Jason Ish almost 2 years ago

Detect DNS with invalid opcodes. Currently if a DNS message has a bad opcode we don't detect it as DNS, even if it is.. Perhaps some DNS trickery.. We go blind to it. Bettern to parse it as DNS and provide the ability to detect invalid opcodes.

Actions #13

Updated by Jason Ish almost 2 years ago

  • Status changed from In Review to Resolved

Merged into master.

Actions #14

Updated by Victor Julien almost 2 years ago

  • Subtask deleted (#5550)
Actions #15

Updated by Victor Julien almost 2 years ago

  • Status changed from Resolved to Closed
Actions #16

Updated by Victor Julien over 1 year ago

  • Related to Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport) added
Actions

Also available in: Atom PDF