<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.ox-335a999652-msonormal, li.ox-335a999652-msonormal, div.ox-335a999652-msonormal
{mso-style-name:ox-335a999652-msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="ES" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Hi Konstatin,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Pcap attached. I am using default config from Suricata install from source … The only option I have changed is dp …<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Many thanks for your help.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">-- <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Regards,<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">C. L. Martinez</span><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Konstantin Klinger <konstantinklinger@mailbox.org><br>
<b>Date: </b>Sunday, 5 January 2020 at 13:35<br>
<b>To: </b>Carlos Lopez <clopmz@outlook.com>, "oisf-users@lists.openinfosecfoundation.org" <oisf-users@lists.openinfosecfoundation.org><br>
<b>Subject: </b>Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hi Carlos, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">could you please share your suricata.yaml and additional a sample pcap of your dns over tls traffic via port 853 if it is possible? If you would not like to share it publicly, but with with, I've attached my PGP key.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Konstantin <o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">On January 5, 2020 at 1:08 PM Carlos Lopez <clopmz@outlook.com> wrote:
<o:p></o:p></p>
<div>
<p class="ox-335a999652-msonormal"><span style="color:black">Hi all,</span><o:p></o:p></p>
<p class="ox-335a999652-msonormal"><span style="color:black"> </span><o:p></o:p></p>
<p class="ox-335a999652-msonormal"><span style="color:black">I have a DNS cache server based in unbound redirecting all external queries to CloudFlare’s DNS servers via DNS over TLS and as I indicated in the subject, a lot of alerts are triggered as “SURICATA
TLS on unusual port”.</span><o:p></o:p></p>
<p class="ox-335a999652-msonormal"><span style="color:black"> </span><o:p></o:p></p>
<p class="ox-335a999652-msonormal"><span style="color:black">I have tried to inform to our Suricata sensors via “app-layer,tls,dp” port 853 is a valid TLS port without luck … I have checked any TLS variable for Suricata without result.</span><o:p></o:p></p>
<p class="ox-335a999652-msonormal"><span style="color:black"> </span><o:p></o:p></p>
<p class="ox-335a999652-msonormal"><span style="color:black">Then how to inform Suricata port 853 as a valid port TLS?</span><o:p></o:p></p>
<p class="ox-335a999652-msonormal"> <o:p></o:p></p>
<p class="ox-335a999652-msonormal"> <o:p></o:p></p>
<p class="ox-335a999652-msonormal">-- <o:p></o:p></p>
<div>
<p class="ox-335a999652-msonormal">Regards, <o:p></o:p></p>
<p class="ox-335a999652-msonormal">C. L. Martinez<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________ <br>
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org <br>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ <br>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users <br>
<br>
Conference: https://suricon.net <br>
Trainings: https://suricata-ids.org/training/ <o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"><br>
<o:p></o:p></p>
</div>
</div>
</body>
</html>