Actions
Bug #5941
closedDNS rules not matching when traffic is over tcp
Affected Versions:
Effort:
Difficulty:
Label:
Description
I've found out that when dns traffic is over tcp and multiple dns rules are loaded,
they don't match when they should be.
The issue can be reproduced running suricata with the pcap from 'suricata-verify/tests/dns-tcp-www-google-com/' directory
with the following rules:
alert dns any any -> any any (msg:"Test dns.query"; dns.query; content:"google"; sid:1;) alert dns any any -> any any (msg:"Test dns.opcode"; dns.opcode:0; flow:to_client; sid:2;)
Few lines from suricata:
Info: detect: 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete [SigAddressPrepareStage1:detect-engine-build.c:1486] Info: pcap: pcap file /home/gl/git/suricata-verify/tests/dns-tcp-www-google-com/dns.pcap end of file reached (pcap err code 0) [PcapFileDispatch:source-pcap-file-helper.c:163] Info: counters: Alerts: 0 [StatsLogSummary:counters.c:871]
If only one rule is loaded, there is a match:
- sid 1:
Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: counters: Alerts: 1 [StatsLogSummary:counters.c:871]
> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")' | jq .
{
"timestamp": "2017-01-26T21:16:58.270740+0100",
"flow_id": 828390012614559,
"pcap_cnt": 7,
"event_type": "alert",
"src_ip": "10.16.1.11",
"src_port": 38195,
"dest_ip": "8.8.4.4",
"dest_port": 53,
"proto": "TCP",
"pkt_src": "wire/pcap",
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
"rev": 0,
"signature": "Test dns.query",
"category": "",
"severity": 3
},
"dns": {
"query": [
{
"type": "query",
"id": 24440,
"rrname": "www.google.com",
"rrtype": "A",
"tx_id": 0,
"opcode": 0
}
]
},
"app_proto": "dns",
"direction": "to_server",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 3,
"bytes_toserver": 329,
"bytes_toclient": 443,
"start": "2017-01-26T21:16:58.192874+0100",
"src_ip": "10.16.1.11",
"dest_ip": "8.8.4.4",
"src_port": 38195,
"dest_port": 53
}
}
- sid 2:
Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: counters: Alerts: 1 [StatsLogSummary:counters.c:871]
> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")' | jq .
{
"timestamp": "2017-01-26T21:16:58.309447+0100",
"flow_id": 828391467481599,
"pcap_cnt": 9,
"event_type": "alert",
"src_ip": "8.8.4.4",
"src_port": 53,
"dest_ip": "10.16.1.11",
"dest_port": 38195,
"proto": "TCP",
"pkt_src": "wire/pcap",
"tx_id": 1,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2,
"rev": 0,
"signature": "Test dns.opcode",
"category": "",
"severity": 3
},
"dns": {
"answer": {
"version": 2,
"type": "answer",
"id": 24440,
"flags": "8180",
"qr": true,
"rd": true,
"ra": true,
"opcode": 0,
"rrname": "www.google.com",
"rrtype": "A",
"rcode": "NOERROR"
}
},
"app_proto": "dns",
"direction": "to_client",
"flow": {
"pkts_toserver": 5,
"pkts_toclient": 4,
"bytes_toserver": 395,
"bytes_toclient": 509,
"start": "2017-01-26T21:16:58.192874+0100",
"src_ip": "10.16.1.11",
"dest_ip": "8.8.4.4",
"src_port": 38195,
"dest_port": 53
}
}
When the traffic is over udp, the rules works properly:
Info: detect: 1 rule files processed. 2 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: pcap: Starting file run for /home/gl/git/suricata-verify/tests/dns-opcode/dns-notify.pcap [ReceivePcapFileLoop:source-pcap-file.c:179]
Info: counters: Alerts: 2 [StatsLogSummary:counters.c:871]
> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")
{"timestamp":"2013-09-23T23:05:00.840155+0200","flow_id":1356640486569935,"pcap_cnt":1,"event_type":"alert","src_ip":"217.70.190.232","src_port":55612,"dest_ip":"204.62.14.153","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":0,"signature":"Test dns.query","category":"","severity":3},"dns":{"query":[{"type":"query","id":38504,"rrname":"bortzmeyer.42","rrtype":"SOA","tx_id":0,"opcode":4}]},"app_proto":"dns","direction":"to_server","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":165,"bytes_toclient":0,"start":"2013-09-23T23:05:00.840155+0200","src_ip":"217.70.190.232","dest_ip":"204.62.14.153","src_port":55612,"dest_port":53}}
{"timestamp":"2013-09-23T23:05:00.840411+0200","flow_id":1356640486569935,"pcap_cnt":2,"event_type":"alert","src_ip":"204.62.14.153","src_port":53,"dest_ip":"217.70.190.232","dest_port":55612,"proto":"UDP","pkt_src":"wire/pcap","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":0,"signature":"Test dns.opcode","category":"","severity":3},"dns":{"answer":{"version":2,"type":"answer","id":38504,"flags":"a400","qr":true,"aa":true,"opcode":4,"rrname":"bortzmeyer.42","rrtype":"SOA","rcode":"NOERROR"}},"app_proto":"dns","direction":"to_client","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":165,"bytes_toclient":73,"start":"2013-09-23T23:05:00.840155+0200","src_ip":"217.70.190.232","dest_ip":"204.62.14.153","src_port":55612,"dest_port":53}}
Updated by Philippe Antoine 5 months ago
- Status changed from New to Closed
With updating suricata.yaml for this S-V test dns-tcp-www-google-com
diff --git a/tests/dns-tcp-www-google-com/suricata.yaml b/tests/dns-tcp-www-google-com/suricata.yaml
index 6bc3c0de..889d62ed 100644
--- a/tests/dns-tcp-www-google-com/suricata.yaml
+++ b/tests/dns-tcp-www-google-com/suricata.yaml
@@ -9,4 +9,5 @@ outputs:
- eve-log:
enabled: yes
types:
+ - alert
- dns:
And adding test.rules
alert dns any any -> any any (msg:"Test dns.query"; dns.query; content:"google"; sid:1;) alert dns any any -> any any (msg:"Test dns.opcode"; dns.opcode:0; flow:to_client; sid:2;)
I get the alerts as expected with latest suricata master commit c8a7204b159553d338a6294218e696a72efdb4db
jq .alert output/eve.json | more
null
{
"action": "allowed",
"gid": 1,
"signature_id": 1,
"rev": 0,
"signature": "Test dns.query",
"category": "",
"severity": 3
}
null
{
"action": "allowed",
"gid": 1,
"signature_id": 2,
"rev": 0,
"signature": "Test dns.opcode",
"category": "",
"severity": 3
}
Updated by Philippe Antoine 5 months ago
@Giuseppe Longo let me know if you still encounter a bug here
Updated by Brandon Murphy 5 months ago
FWIW, I could replicate this in 6.0.0 but not 6.0.13. I'm not sure where it got resolved in the 6.x branch, but it appears to have been resolved.
I could not replicate it on any 7.0.0 or 7.0.3-dev.
EDIT** Looks like it was resolved in 6.0.11 - here are the resolved tickets in 6.0.11, https://redmine.openinfosecfoundation.org/versions/187
Actions