[Oisf-devel] asymmetric traffic, probing parser
Victor Julien
victor at inliniac.net
Thu Mar 14 16:23:15 UTC 2013
On 03/14/2013 05:21 PM, Carl Soeder wrote:
> I am writing an application layer module that detect anomalies in DNS
> UDP traffic. It detects DNS UDP traffic by registering a probing parser
> with port 53. Everything works fine if Suricata sees the query. However,
> if Suricata doesn’t see the query, there doesn’t seem to a way to
> identify the reply packet as DNS UDP traffic. The probing parser doesn’t
> get called because Suricata identifies the reply packet as
> STREAM_TOSERVER (if it doesn’t see the query) and only invokes the
> probing parser for STREAM_TOSERVER packets if the destination port is
> 53. A probing parser can register with port 0 to get all traffic but the
> probing parser is called with only UDP packet data (and not port
> information). So it doesn’t appear possible to access the source and
> destination ports within a probing parser.
Yeah, had noticed this some time ago as well. Anoop is redesigning the
proto detection, so I think this would be a good time to also deal with
this case.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list