Bug #7004
Updated by Jason Ish 6 months ago
[Private as it discusses an issue where DNS transactions are missed] In IDS mode, transaction handling appears to be off, and there exists a discrepancy between IDS and IPS modes. While pointed out in PGSQL, I believe DNS presents a simpler reproduction case just being a simpler protocol with less state. The test PCAP (@dns-tcp-multi.pcap@) contains 1 TCP session with 3 DNS requests/responses, in order. - 1) Request/response for suricata.io - 2) Request/response for oisf.net - 3) Request/response for suricata.org One rule is used: <pre> alert dns any any -> any any (msg:"DNS suricata"; content:"suricata"; sid:1; rev:1;) </pre> *Issue 1. IDS Mode* Using a default Suricata configuration: <pre> suricata -S test.rules -r dns-tcp-multi.pcap </pre> Observations: - There are only two alerts for the "suricata.org" request and response, which is the 3rd request/response in the PCAP. - There is no alert for the first request/response for "suricata.io", but one is expected. This could be considered an evasion or false negative. - All @dns@ app-layer events are logged as expected. Issue: - The first transaction is not matched against rules correctly. This is very similar to what is being seen in #7000. [Update] If @dns-tcp-multi.pcap@ is updated to use the hostnames @suricata.io@, @oisf.net@ and @google.com@, the rule above will still alert, but with the transaction data for @google.com@. This does suggest that the match is being done. Expected behavior: - alert for DNS request to suricata.io, with correct tx data (or no tx data) - alert for DNS response for suricata.io, with correct tx data (or no tx data) - alert for DNS request to suricata.org, with correct tx data (or no tx data) - alert for DNS response to suricata.org, with correct tx data (or no tx data) *Issue 2. IPS Mode* Run the same test above, but in IPS simulation mode: <pre> suricata -S test.rules -r dns-tcp-multi.pcap --simulate-ips </pre> Observations: - Alert for "suricata.io" request/response: OK - Alert for "oisf.net" request/response: NOT OK - Alert for "suricata.org" request/response: OK Issue: - An alert is being generated for transactions that should not match. *Summary* There appears to be a discrepancy somewhere in @tx id@ handling where the transactions being matched on, are not the transactions being logged on TCP protocols. At least in DNS, UDP DNS works correctly, but has simpler state management.