Project

General

Profile

Actions

Bug #5941

closed

DNS rules not matching when traffic is over tcp

Added by Giuseppe Longo over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I've found out that when dns traffic is over tcp and multiple dns rules are loaded,
they don't match when they should be.

The issue can be reproduced running suricata with the pcap from 'suricata-verify/tests/dns-tcp-www-google-com/' directory
with the following rules:

alert dns any any -> any any (msg:"Test dns.query"; dns.query; content:"google"; sid:1;)
alert dns any any -> any any (msg:"Test dns.opcode"; dns.opcode:0; flow:to_client; sid:2;)

Few lines from suricata:

Info: detect: 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete [SigAddressPrepareStage1:detect-engine-build.c:1486]
Info: pcap: pcap file /home/gl/git/suricata-verify/tests/dns-tcp-www-google-com/dns.pcap end of file reached (pcap err code 0) [PcapFileDispatch:source-pcap-file-helper.c:163]
Info: counters: Alerts: 0 [StatsLogSummary:counters.c:871]

If only one rule is loaded, there is a match:

- sid 1:

Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: counters: Alerts: 1 [StatsLogSummary:counters.c:871]

> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")' | jq .
{
  "timestamp": "2017-01-26T21:16:58.270740+0100",
  "flow_id": 828390012614559,
  "pcap_cnt": 7,
  "event_type": "alert",
  "src_ip": "10.16.1.11",
  "src_port": 38195,
  "dest_ip": "8.8.4.4",
  "dest_port": 53,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1,
    "rev": 0,
    "signature": "Test dns.query",
    "category": "",
    "severity": 3
  },
  "dns": {
    "query": [
      {
        "type": "query",
        "id": 24440,
        "rrname": "www.google.com",
        "rrtype": "A",
        "tx_id": 0,
        "opcode": 0
      }
    ]
  },
  "app_proto": "dns",
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 3,
    "bytes_toserver": 329,
    "bytes_toclient": 443,
    "start": "2017-01-26T21:16:58.192874+0100",
    "src_ip": "10.16.1.11",
    "dest_ip": "8.8.4.4",
    "src_port": 38195,
    "dest_port": 53
  }
}

- sid 2:

Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: counters: Alerts: 1 [StatsLogSummary:counters.c:871]

> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")' | jq .
{
  "timestamp": "2017-01-26T21:16:58.309447+0100",
  "flow_id": 828391467481599,
  "pcap_cnt": 9,
  "event_type": "alert",
  "src_ip": "8.8.4.4",
  "src_port": 53,
  "dest_ip": "10.16.1.11",
  "dest_port": 38195,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 1,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2,
    "rev": 0,
    "signature": "Test dns.opcode",
    "category": "",
    "severity": 3
  },
  "dns": {
    "answer": {
      "version": 2,
      "type": "answer",
      "id": 24440,
      "flags": "8180",
      "qr": true,
      "rd": true,
      "ra": true,
      "opcode": 0,
      "rrname": "www.google.com",
      "rrtype": "A",
      "rcode": "NOERROR" 
    }
  },
  "app_proto": "dns",
  "direction": "to_client",
  "flow": {
    "pkts_toserver": 5,
    "pkts_toclient": 4,
    "bytes_toserver": 395,
    "bytes_toclient": 509,
    "start": "2017-01-26T21:16:58.192874+0100",
    "src_ip": "10.16.1.11",
    "dest_ip": "8.8.4.4",
    "src_port": 38195,
    "dest_port": 53
  }
}

When the traffic is over udp, the rules works properly:

Info: detect: 1 rule files processed. 2 rules successfully loaded, 0 rules failed [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1112]
Info: detect: 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1480]
Info: pcap: Starting file run for /home/gl/git/suricata-verify/tests/dns-opcode/dns-notify.pcap [ReceivePcapFileLoop:source-pcap-file.c:179]
Info: counters: Alerts: 2 [StatsLogSummary:counters.c:871]

> cat /tmp/eve.json | jq -c 'select(.event_type=="alert")
{"timestamp":"2013-09-23T23:05:00.840155+0200","flow_id":1356640486569935,"pcap_cnt":1,"event_type":"alert","src_ip":"217.70.190.232","src_port":55612,"dest_ip":"204.62.14.153","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":0,"signature":"Test dns.query","category":"","severity":3},"dns":{"query":[{"type":"query","id":38504,"rrname":"bortzmeyer.42","rrtype":"SOA","tx_id":0,"opcode":4}]},"app_proto":"dns","direction":"to_server","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":165,"bytes_toclient":0,"start":"2013-09-23T23:05:00.840155+0200","src_ip":"217.70.190.232","dest_ip":"204.62.14.153","src_port":55612,"dest_port":53}}
{"timestamp":"2013-09-23T23:05:00.840411+0200","flow_id":1356640486569935,"pcap_cnt":2,"event_type":"alert","src_ip":"204.62.14.153","src_port":53,"dest_ip":"217.70.190.232","dest_port":55612,"proto":"UDP","pkt_src":"wire/pcap","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":0,"signature":"Test dns.opcode","category":"","severity":3},"dns":{"answer":{"version":2,"type":"answer","id":38504,"flags":"a400","qr":true,"aa":true,"opcode":4,"rrname":"bortzmeyer.42","rrtype":"SOA","rcode":"NOERROR"}},"app_proto":"dns","direction":"to_client","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":165,"bytes_toclient":73,"start":"2013-09-23T23:05:00.840155+0200","src_ip":"217.70.190.232","dest_ip":"204.62.14.153","src_port":55612,"dest_port":53}}
Actions

Also available in: Atom PDF