Project

General

Profile

Actions

Bug #6789

open

Dns remarks without showing dns name

Added by JP Pozzi 8 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,
While usinf Suricata 7.02 or 7.03 I found that some alerts are lacking info.
I find aone for the message :
ET POLICY Unusual number of DNS No Such Name Responses
The DNS name is not in the alert file ... it is ennoying.

Regards

JP P


Files

f6d1f89b09b6df9.pcap (81.4 KB) f6d1f89b09b6df9.pcap Brandon Murphy, 03/30/2024 06:02 AM
Actions #1

Updated by Jason Ish 8 months ago

  • Status changed from New to Feedback

A PCAP will be required to investigate further. It looks like this rule could easily alert on data that is not DNS, in which case there wouldn't be any DNS information to log.

Actions #2

Updated by JP Pozzi 8 months ago

Hello,
It was OK in the previous versions (6). One other rule does not display usable information :
"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"
The Json info in the alert file is null : {}, in previous version the display was meaningful.

Regards
JP P

Actions #3

Updated by JP Pozzi 8 months ago

It is the sameproblem with the rule :
"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"
No information is in the json file.

Regards

JP P

Actions #4

Updated by JP Pozzi 7 months ago

  • Affected Versions 7.0.3 added

Hello,
Another message without any elements given in the alert file :
ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
and no information in the eve alert file.

Regards
JP P

Actions #5

Updated by JP Pozzi 7 months ago

Hello,

The message :
"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)" is not associated with any value in the eve file.

Regards
JP P

Actions #6

Updated by JP Pozzi 7 months ago

Hello,

All the small problems described here does not exist in the version 6,
not having enough information to understand an alert is like not receiving the alert.
It is possible to name it : regression.

Actions #7

Updated by Brandon Murphy 7 months ago

A lot of the signatures mentioned here require a threshold.

however ET POLICY Credit Card Number Detected in Clear (16 digit spaced) AKA 2001375 does not so I thought that might be a good candidate to test with.

I was unable to replicate this issue. I tested with 6.0.0, 6.0.16, 7.0.0 and 7.0.4

7.0.4 alert output of the attached pcap
https://gist.github.com/zoomequipd/f6251494737b74dcbbf9f6ac8c9bed05

All of them appeared to have accurate information within the alert event type in the eve json.

@JP Pozzi would you be able to provide information to replicate your issue? A pcap, the suricata.yaml and the command line you are using to start suricata would be a good start.

Are you able to provide what exact version of 6.x you reference here

It was OK in the previous versions (6). One other rule does not display usable information

Actions #8

Updated by JP Pozzi 4 months ago

  • Affected Versions 7.0.5 added
  • Affected Versions deleted (7.0.3)

Hello,

About the DNS "problem" the information of the "offender" is present in
the server response, I try to follow the network activity on UDP/53 with
wireshark and I get the following data (csv format from wireshark) :
127 24.191888682 127.0.0.1 127.0.0.1 DNS 131 Standard query response 0x1871 No such name A xxxtf1.fr SOA a.nic.fr
The "offender" xxxtf1.fr is visible but is not present in the json file.

Remark : it seems OK in the dev version 8.

Regards

JP P

Actions

Also available in: Atom PDF