Bug #5444
closed
dns: allow dns messages with invalid opcodes
Added by Jason Ish over 2 years ago.
Updated almost 2 years ago.
Description
Current a DNS message won't be detected as DNS if the opcode is considered invalid (greater than 7). We should probably accept any opcode, and then use rules to alert on invalid opcodes.
Research: Will this detect too much non DNS as DNS?
Files
just adding a sample udp dns query with opcode of 8 set. With the change discussed in this ticket, a signature such as 'alert dns any any -> any any (msg:"dns opcode 8"; dns.opcode:8; sid:123; rev:1;)' run against the attached pcap would alert.
- Priority changed from Normal to High
- Label Needs backport to 6.0 added
@Philippe Antoine are you saying that in master this issue is resolved (by the PR you mentioned)?
That depends on how you define the issue.
If a DNS server uses invalid opcodes, as in the attached pcap, this issue is not resolved.
- Label deleted (
Needs backport to 6.0)
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
- Status changed from New to In Progress
- Status changed from In Progress to In Review
This ticket looks strange to me... What is the use case ?
Detect DNS with invalid opcodes. Currently if a DNS message has a bad opcode we don't detect it as DNS, even if it is.. Perhaps some DNS trickery.. We go blind to it. Bettern to parse it as DNS and provide the ability to detect invalid opcodes.
- Status changed from In Review to Resolved
- Status changed from Resolved to Closed
- Related to Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport) added
Also available in: Atom
PDF