Project

General

Profile

Actions
Copy link

Bug #7478

open

DNS packets not on port 53 are identified as DHCP protocol

Added by baixiaopeng bai 10 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.6
Effort:
Difficulty:
Label:

Description

Suricata 7.0.6 version

DNS packets not on port 53 are identified as DHCP protocol。

Files

Download all files
dnscat-clean.pcap (94.6 KB) dnscat-clean.pcap dns pcap not on port 53 baixiaopeng bai, 01/09/2025 04:14 AM
gdb.jpg (38.8 KB) gdb.jpg alproto is 22(dhcp) when debugging baixiaopeng bai, 01/09/2025 04:16 AM
evelog-is-dhcp.jpg (101 KB) evelog-is-dhcp.jpg dns packets output eve-log as dhcp. baixiaopeng bai, 01/09/2025 04:19 AM
Actions
Copy link
 #1

Updated by baixiaopeng bai 10 months ago

Actions
Copy link
 #3

Updated by Jason Ish 10 months ago

Not able to replicate with this PCAP, do you have configuration changes as well?

DNS and DHCP are both probing parsers and should only pickup those protocols on the configured ports.

Actions
Copy link
 #4

Updated by Philippe Antoine 8 months ago

  • Status changed from New to Feedback
Actions
Copy link

Also available in: Atom PDF