<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Jan 6, 2017 at 12:45 PM, Michael J. Sheldon <span dir="ltr"><<a href="mailto:msheldon@godaddy.com" target="_blank">msheldon@godaddy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Suricata 3.1.3 Running in IPS mode<br>
<br>
Is it possible to tell Suricata to NOT do flow tracking for UDP?<br>
We use suricata for DNS traffic, and flow tracking is quite frankly useless, as there are no true flows with DNS UDP<br>
<br>
On top of that, it appears that somehow, some folks are bypassing the rules by flooding from the same IP:port.<br>
<br>
You can see from the below log, that the same source/port was sending the same request repeatedly. I have a drop rule in place, but when the tx_id reaches 501, it stops blocking, and the traffic goes through. The flow_id is the same for every request. There are identical chains in the log for different ip:port combinations.<br>
<br>
So effectively, instead of blocking the source address completely, I only end up blocking the first 501 requests. A new source will get blocked, but again, only for 501 requests.<br></blockquote><div><br></div><div>I think this is an issue we need to look into further, but in the meantime there might be a work-around.</div><div><br></div><div>In your suricata.yaml, under app-layer.dns, change "yes" to "detection-only" like:</div><div><br></div><div><div> dns:</div><div> tcp:</div><div> enabled: detection-only</div><div> detection-ports:</div><div> dp: 53</div><div> udp:</div><div> enabled: detection-only</div><div> detection-ports:</div><div> dp: 53</div></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
rule:<br>
drop dns $EXTERNAL_NET any -> $INTERNAL_NET $DNS_PORTS (msg:"DROP Config sourcenetwork filter test"; dns_query; content:"<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>"; nocase; sid:3110039;)<br></blockquote><div><br></div><div>Then you'll also need to change your rule to a more generic rule such as:</div><div><br></div><div>drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config sourcenetwork filter test"; flow:to_server; pcre:"/<a href="http://example.com/" rel="noreferrer" target="_blank">example.com</a>/i"; nocase; sid:3110039;)</div><div><br></div><div>Anyways, I know its not the answer you are likely looking for, and I will be looking into it further. And in the mean time maybe someone else will have a better suggestion?</div><div><br></div><div>Jason</div></div></div></div>