[Oisf-devel] FP on new Suricata git dns decoder

Peter Manev petermanev at gmail.com
Sat Jul 6 08:23:54 UTC 2013 

On Fri, Jul 5, 2013 at 10:32 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> Congrats for hard work on new git (yesterday) dns decoder,
>
> but I have FP with it :
>
> Joigned pcap file,
>
> suricata-git4jul2013 -c suricata.yaml_dns -r suricatafpdnsdecoder.pcap
> (only dns-events.rules and enabled dns log)
>
> FP on log/fast.log:
> 07/04/2013-21:47:51.585903  [**] [1:2240006:1] SURICATA DNS Z flag set [**]
> [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 ->
> 192.168.42.150:55597
> 07/04/2013-21:47:51.585903  [**] [1:2240005:1] SURICATA DNS Not a response
> [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 ->
> 192.168.42.150:55597
> 07/04/2013-21:47:51.585903  [**] [1:2240002:1] SURICATA DNS malformed
> request data [**] [Classification: (null)] [Priority: 3] {UDP}
> 192.168.42.129:53 -> 192.168.42.150:55597
> 07/04/2013-21:47:51.585903  [**] [1:2240001:1] SURICATA DNS Unsollicited
> response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53
> -> 192.168.42.150:55597
>
> more log/dns.log:
> 07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**]
> static.programme-tv.net [**] CNAME [**] TTL 630 [**]
> programme-tv.net.edgesuite.net [**] 192.168.42.129:53 ->
> 192.168.42.150:55597
> 07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**]
> programme-tv.net.edgesuite.net [**] CNAME [**] TTL 20432 [**]
> a1859.g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
> 07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] g.akamai.net [**] SOA
> [**] TTL 1000 [**] n0g.akamai.net [**] 192.168.42.129:53 ->
> 192.168.42.150:55597
>
> tshark output:
>   1 21:47:51.442123 192.168.42.150 -> 192.168.42.129 DNS Standard query
> 0xe71d  A static.programme-tv.net
>   2 21:47:51.442148 192.168.42.150 -> 192.168.42.129 DNS Standard query
> 0x64b7  AAAA static.programme-tv.net
>   3 21:47:51.585903 192.168.42.129 -> 192.168.42.150 DNS Standard query
> response 0xe71d  CNAME programme-tv.net.edgesuite.net CNAME
> a1859.g.akamai.net A 90.84.55.48 A 90.84.55.64
>   4 21:47:51.592983 192.168.42.129 -> 192.168.42.150 DNS Standard query
> response 0x64b7  CNAME programme-tv.net.edgesuite.net CNAME
> a1859.g.akamai.net
>
> 07/04/2013-21:47:51.585903 contains dns standard query response without DNS
> Z flag set.
>
> Anyone check please ?
> if confirm I open a new redmine ticket
>

Hi rmkml,

Yes I had a similar case and I think it is a bug.
Would you please open a ticket?

thanks


--
Regards,
Peter Manev

More information about the Oisf-devel mailing list