Project

General

Profile

Actions
Copy link

Bug #7478

open

DNS packets not on port 53 are identified as DHCP protocol

Added by baixiaopeng bai about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.6
Effort:
Difficulty:
Label:

Description

Suricata 7.0.6 version

DNS packets not on port 53 are identified as DHCP protocol。

Files

Download all files
dnscat-clean.pcap (94.6 KB) dnscat-clean.pcap dns pcap not on port 53 baixiaopeng bai, 01/09/2025 04:14 AM
gdb.jpg (38.8 KB) gdb.jpg alproto is 22(dhcp) when debugging baixiaopeng bai, 01/09/2025 04:16 AM
evelog-is-dhcp.jpg (101 KB) evelog-is-dhcp.jpg dns packets output eve-log as dhcp. baixiaopeng bai, 01/09/2025 04:19 AM
Actions
Copy link
 #1

Updated by baixiaopeng bai about 1 month ago

Actions
Copy link
 #3

Updated by Jason Ish about 1 month ago

Not able to replicate with this PCAP, do you have configuration changes as well?

DNS and DHCP are both probing parsers and should only pickup those protocols on the configured ports.

Actions
Copy link

Also available in: Atom PDF