[Oisf-devel] FP on new Suricata git dns decoder

rmkml rmkml at yahoo.fr
Sat Jul 6 11:43:26 UTC 2013 

thx Peter for reply,

Created new redmine ticket #856.

Regards
@Rmkml


On Sat, 6 Jul 2013, Peter Manev wrote:

> On Fri, Jul 5, 2013 at 10:32 PM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi,
>>
>> Congrats for hard work on new git (yesterday) dns decoder,
>>
>> but I have FP with it :
>>
>> Joigned pcap file,
>>
>> suricata-git4jul2013 -c suricata.yaml_dns -r suricatafpdnsdecoder.pcap
>> (only dns-events.rules and enabled dns log)
>>
>> FP on log/fast.log:
>> 07/04/2013-21:47:51.585903  [**] [1:2240006:1] SURICATA DNS Z flag set [**]
>> [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 ->
>> 192.168.42.150:55597
>> 07/04/2013-21:47:51.585903  [**] [1:2240005:1] SURICATA DNS Not a response
>> [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 ->
>> 192.168.42.150:55597
>> 07/04/2013-21:47:51.585903  [**] [1:2240002:1] SURICATA DNS malformed
>> request data [**] [Classification: (null)] [Priority: 3] {UDP}
>> 192.168.42.129:53 -> 192.168.42.150:55597
>> 07/04/2013-21:47:51.585903  [**] [1:2240001:1] SURICATA DNS Unsollicited
>> response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53
>> -> 192.168.42.150:55597
>>
>> more log/dns.log:
>> 07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**]
>> static.programme-tv.net [**] CNAME [**] TTL 630 [**]
>> programme-tv.net.edgesuite.net [**] 192.168.42.129:53 ->
>> 192.168.42.150:55597
>> 07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**]
>> programme-tv.net.edgesuite.net [**] CNAME [**] TTL 20432 [**]
>> a1859.g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
>> 07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] g.akamai.net [**] SOA
>> [**] TTL 1000 [**] n0g.akamai.net [**] 192.168.42.129:53 ->
>> 192.168.42.150:55597
>>
>> tshark output:
>>   1 21:47:51.442123 192.168.42.150 -> 192.168.42.129 DNS Standard query
>> 0xe71d  A static.programme-tv.net
>>   2 21:47:51.442148 192.168.42.150 -> 192.168.42.129 DNS Standard query
>> 0x64b7  AAAA static.programme-tv.net
>>   3 21:47:51.585903 192.168.42.129 -> 192.168.42.150 DNS Standard query
>> response 0xe71d  CNAME programme-tv.net.edgesuite.net CNAME
>> a1859.g.akamai.net A 90.84.55.48 A 90.84.55.64
>>   4 21:47:51.592983 192.168.42.129 -> 192.168.42.150 DNS Standard query
>> response 0x64b7  CNAME programme-tv.net.edgesuite.net CNAME
>> a1859.g.akamai.net
>>
>> 07/04/2013-21:47:51.585903 contains dns standard query response without DNS
>> Z flag set.
>>
>> Anyone check please ?
>> if confirm I open a new redmine ticket
>>
>
> Hi rmkml,
>
> Yes I had a similar case and I think it is a bug.
> Would you please open a ticket?
>
> thanks
>
>
> --
> Regards,
> Peter Manev
>

More information about the Oisf-devel mailing list