Bug #5444
closeddns: allow dns messages with invalid opcodes
Added by Jason Ish almost 4 years ago. Updated about 3 years ago.
Description
Current a DNS message won't be detected as DNS if the opcode is considered invalid (greater than 7). We should probably accept any opcode, and then use rules to alert on invalid opcodes.
Research: Will this detect too much non DNS as DNS?
Files
| opcode8.pcap (522 Bytes) opcode8.pcap | Jason Taylor, 07/19/2022 07:44 PM |
JT Updated by Jason Taylor almost 4 years ago Actions #1
- File opcode8.pcap opcode8.pcap added
just adding a sample udp dns query with opcode of 8 set. With the change discussed in this ticket, a signature such as 'alert dns any any -> any any (msg:"dns opcode 8"; dns.opcode:8; sid:123; rev:1;)' run against the attached pcap would alert.
PA Updated by Philippe Antoine almost 4 years ago Actions #2
To be noted : now that https://github.com/OISF/suricata/pull/7320 got merged, if a client sends junk to a DNS server, suricata will recognize the protocol as DNS (with app_proto_tc: failed)
VJ Updated by Victor Julien almost 4 years ago Actions #3
- Priority changed from Normal to High
- Label Needs backport to 6.0 added
VJ Updated by Victor Julien almost 4 years ago Actions #4
@Philippe Antoine are you saying that in master this issue is resolved (by the PR you mentioned)?
PA Updated by Philippe Antoine almost 4 years ago Actions #5
That depends on how you define the issue.
If a DNS server uses invalid opcodes, as in the attached pcap, this issue is not resolved.
VJ Updated by Victor Julien over 3 years ago Actions #6
- Subtask #5550 added
VJ Updated by Victor Julien over 3 years ago Actions #7
- Label deleted (
Needs backport to 6.0)
VJ Updated by Victor Julien over 3 years ago Actions #8
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
JI Updated by Jason Ish over 3 years ago Actions #9
- Status changed from New to In Progress
JI Updated by Jason Ish over 3 years ago Actions #10
- Status changed from In Progress to In Review
PA Updated by Philippe Antoine over 3 years ago Actions #11
This ticket looks strange to me... What is the use case ?
JI Updated by Jason Ish over 3 years ago Actions #12
Detect DNS with invalid opcodes. Currently if a DNS message has a bad opcode we don't detect it as DNS, even if it is.. Perhaps some DNS trickery.. We go blind to it. Bettern to parse it as DNS and provide the ability to detect invalid opcodes.
JI Updated by Jason Ish over 3 years ago Actions #13
- Status changed from In Review to Resolved
Merged into master.
VJ Updated by Victor Julien about 3 years ago Actions #14
- Subtask deleted (
#5550)
VJ Updated by Victor Julien about 3 years ago Actions #15
- Status changed from Resolved to Closed
VJ Updated by Victor Julien almost 3 years ago Actions #16
- Related to Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport) added