[Oisf-devel] asymmetric traffic, probing parser
Carl Soeder
csoeder at bbn.com
Thu Mar 14 16:21:20 UTC 2013
I am writing an application layer module that detect anomalies in DNS UDP
traffic. It detects DNS UDP traffic by registering a probing parser with
port 53. Everything works fine if Suricata sees the query. However, if
Suricata doesn't see the query, there doesn't seem to a way to identify the
reply packet as DNS UDP traffic. The probing parser doesn't get called
because Suricata identifies the reply packet as STREAM_TOSERVER (if it
doesn't see the query) and only invokes the probing parser for
STREAM_TOSERVER packets if the destination port is 53. A probing parser can
register with port 0 to get all traffic but the probing parser is called
with only UDP packet data (and not port information). So it doesn't appear
possible to access the source and destination ports within a probing parser.
Ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130314/7b6f2af2/attachment.html>
More information about the Oisf-devel
mailing list