Bug #6789
openDns remarks without showing dns name
Description
Hello,
While usinf Suricata 7.02 or 7.03 I found that some alerts are lacking info.
I find aone for the message :
ET POLICY Unusual number of DNS No Such Name Responses
The DNS name is not in the alert file ... it is ennoying.
Regards
JP P
Files
Updated by JP Pozzi 10 months ago
Hello,
It was OK in the previous versions (6). One other rule does not display usable information :
"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"
The Json info in the alert file is null : {}, in previous version the display was meaningful.
Regards
JP P
Updated by Brandon Murphy 9 months ago
- File f6d1f89b09b6df9.pcap f6d1f89b09b6df9.pcap added
A lot of the signatures mentioned here require a threshold.
however ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
AKA 2001375 does not so I thought that might be a good candidate to test with.
I was unable to replicate this issue. I tested with 6.0.0, 6.0.16, 7.0.0 and 7.0.4
7.0.4 alert output of the attached pcap
https://gist.github.com/zoomequipd/f6251494737b74dcbbf9f6ac8c9bed05
All of them appeared to have accurate information within the alert event type in the eve json.
@JP Pozzi would you be able to provide information to replicate your issue? A pcap, the suricata.yaml and the command line you are using to start suricata would be a good start.
Are you able to provide what exact version of 6.x you reference here
It was OK in the previous versions (6). One other rule does not display usable information
Updated by JP Pozzi 6 months ago
- Affected Versions 7.0.5 added
- Affected Versions deleted (
7.0.3)
Hello,
About the DNS "problem" the information of the "offender" is present in
the server response, I try to follow the network activity on UDP/53 with
wireshark and I get the following data (csv format from wireshark) :
127 24.191888682 127.0.0.1 127.0.0.1 DNS 131 Standard query response 0x1871 No such name A xxxtf1.fr SOA a.nic.fr
The "offender" xxxtf1.fr is visible but is not present in the json file.
Remark : it seems OK in the dev version 8.
Regards
JP P