Project

General

Profile

Actions

Bug #6037

closed

Bug #4759: TCP DNS query not found when tls filter is active

TCP DNS query not found when tls filter is active (6.0.x backport)

Added by Jason Ish over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When using a TLS rule the DNS query rule is no longer reported.

Using the following ruleset:

alert tls any any -> any any (msg:"SSL Fingerprint"; sid:1; rev:1;)
alert dns any any -> any any (msg:".com in DNS query"; dns.query; content:".com"; sid:2; rev:1;)

The DNS query in the attached tcpdns.pcap is not reported to the eve.log.

If the rule with the sid 1 is commented out the DNS query rule is reported in the eve.log as

{"timestamp":"2013-11-26T16:07:58.893881+0000","flow_id":1541398387924126,"pcap_cnt":7,"event_type":"alert","src_ip":"10.180.156.141","src_port":49342,"dest_ip":"10.2.95.39","dest_port":53,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":1,"signature":".com in DNS query","category":"","severity":3},"dns":{"query":[{"type":"query","id":24163,"rrname":"google.com","rrtype":"A","tx_id":0}]},"app_proto":"dns","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":306,"bytes_toclient":548,"start":"2013-11-26T16:07:58.892062+0000"}}

The expected behavior is that the DNS query should also be reported when the TSL rule is active.

The problem was found in suricata 6.0.1 on debian bullseye. It could also reproduced with the suricata self compiled from master-6.0.x branch.

The problem did not exist in suricata 4.1.2.


Files

tcpdns.pcap (2.31 KB) tcpdns.pcap Pcap contining tcp dns query of google.com Thorsten Zachmann, 10/18/2021 03:35 AM
test.rule (165 Bytes) test.rule Rules used Thorsten Zachmann, 10/18/2021 03:36 AM
suricata.info (3.9 KB) suricata.info Thorsten Zachmann, 10/18/2021 03:52 AM
Actions

Also available in: Atom PDF