Bug #7574
openSURICATA DNS malformed request data from macOS to Active Directory DNS server
Description
We are seeing this alert triggered by SOA record requests from a macOS client to our AD DNS server. pcap attached
{"timestamp":"2025-03-03T14:00:48.850734-0700","flow_id":262106604897803,"in_iface":"ovpns4","event_type":"alert","src_ip":"10.11.2.178","src_port":55840,"dest_ip":"10.10.11.10","dest_port":53,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2240002,"rev":2,"signature":"SURICATA DNS malformed request data","category":"Generic Protocol Command Decode","severity":3},"dns":{"version":2,"query":[{"type":"query","id":51417,"rrname":"ad.nwra.com","rrtype":"SOA","tx_id":0,"opcode":5}]},"app_proto":"dns","direction":"to_server","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":386,"bytes_toclient":326,"start":"2025-03-03T14:00:48.650850-0700","src_ip":"10.11.2.178","dest_ip":"10.10.11.10","src_port":55840,"dest_port":53},"payload":"AJTI2SgAAAEAAAABAAECYWQEbndyYQNjb20AAAYAAQVvdHRlcsAMAP8A/wAAAAAAAAo0MTA4NTA4Njc5DHNpZy1hZC1ibGQwMQJhZARud3JhA2NvbQAA+gD/AAAAAAA2CGdzcy10c2lnAAAAZ8YYgAEsABwEBAT//////wAAAAAMvHNE4pH0lq9PnN5cOm1nyNkAAAAA","payload_printable":"....(..........ad.nwra.com......otter............\n4108508679.sig-ad-bld01.ad.nwra.com..........6.gss-tsig...g....,................sD.....O..\\:mg......","stream":1,"packet":"AgAAAEUAADQAAEAAQAYY9AoLArIKCgsK2iAANUb4jjP/8Pe1gBAICUBZAAABAQgK6JN25VKgs0g=","packet_info":{"linktype":0}}
Files
Updated by Philippe Antoine 1 day ago
- Status changed from New to Feedback
I am not reproducing with 8, are you ?
Updated by Philippe Antoine 1 day ago
- Target version changed from TBD to 7.0.12
- Affected Versions 7.0.11 added
Updated by Philippe Antoine 1 day ago
- Assignee changed from OISF Dev to Jason Ish
Jason, did we miss a backport for DNS ?
Updated by Philippe Antoine about 23 hours ago
This was fixed by de88d8ec4870de5068e0dcf4d6bc6aae6a8189d1
Updated by Jason Ish about 19 hours ago
- Assignee changed from Jason Ish to OISF Dev
Updated by Jason Ish about 19 hours ago
Philippe Antoine wrote in #note-3:
Jason, did we miss a backport for DNS ?
No.
de88d8ec4870de5068e0dcf4d6bc6aae6a8189d1 should not be backported I don't think. It served a different purpose and may have accidentally fixed this. So 7.0 probably needs its own fix.