Project

General

Profile

Actions
Copy link

Bug #6789

open

Dns remarks without showing dns name

Added by JP Pozzi 2 months ago. Updated 30 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.3
Effort:
Difficulty:
Label:

Description

Hello,
While usinf Suricata 7.02 or 7.03 I found that some alerts are lacking info.
I find aone for the message :
ET POLICY Unusual number of DNS No Such Name Responses
The DNS name is not in the alert file ... it is ennoying.

Regards

JP P

Files

f6d1f89b09b6df9.pcap (81.4 KB) f6d1f89b09b6df9.pcap Brandon Murphy, 03/30/2024 06:02 AM
Actions
Copy link
 #1

Updated by Jason Ish 2 months ago

  • Status changed from New to Feedback

A PCAP will be required to investigate further. It looks like this rule could easily alert on data that is not DNS, in which case there wouldn't be any DNS information to log.

Actions
Copy link
 #2

Updated by JP Pozzi 2 months ago

Hello,
It was OK in the previous versions (6). One other rule does not display usable information :
"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"
The Json info in the alert file is null : {}, in previous version the display was meaningful.

Regards
JP P

Actions
Copy link
 #3

Updated by JP Pozzi 2 months ago

It is the sameproblem with the rule :
"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"
No information is in the json file.

Regards

JP P

Actions
Copy link
 #4

Updated by JP Pozzi about 2 months ago

  • Affected Versions 7.0.3 added

Hello,
Another message without any elements given in the alert file :
ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
and no information in the eve alert file.

Regards
JP P

Actions
Copy link
 #5

Updated by JP Pozzi about 2 months ago

Hello,

The message :
"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)" is not associated with any value in the eve file.

Regards
JP P

Actions
Copy link
 #6

Updated by JP Pozzi about 1 month ago

Hello,

All the small problems described here does not exist in the version 6,
not having enough information to understand an alert is like not receiving the alert.
It is possible to name it : regression.

Actions
Copy link
 #7

Updated by Brandon Murphy 30 days ago

A lot of the signatures mentioned here require a threshold.

however ET POLICY Credit Card Number Detected in Clear (16 digit spaced) AKA 2001375 does not so I thought that might be a good candidate to test with.

I was unable to replicate this issue. I tested with 6.0.0, 6.0.16, 7.0.0 and 7.0.4

7.0.4 alert output of the attached pcap
https://gist.github.com/zoomequipd/f6251494737b74dcbbf9f6ac8c9bed05

All of them appeared to have accurate information within the alert event type in the eve json.

@JP Pozzi would you be able to provide information to replicate your issue? A pcap, the suricata.yaml and the command line you are using to start suricata would be a good start.

Are you able to provide what exact version of 6.x you reference here

It was OK in the previous versions (6). One other rule does not display usable information

Actions
Copy link

Also available in: Atom PDF