Carl Soeder csoeder at bbn.com
Fri Jan 18 21:14:12 UTC 2013

I'm writing an App Layer Module for DNS.

I want to detect anomalies in DNS UDP packets and set app-layer-events. I managed to get this (sort of) working. I added a rule to trigger on the DNS app-layer-event I added. And I fed suricata a packet that caused the DNS parser to set the event. Suricata generated an alert as expected. However,  it also gave this warning:

	[2287] 18/1/2013 -- 15:35:02 - (stream.c:236) <Warning> (StreamSegmentForEach) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - UDP is currently unsupported

The warning is caused because Unified2PacketTypeAlert thinks the packet is part of a stream. It thinks it's a stream because the PACKET_ALERT_FLAG_STATE_MATCH bit is set in the PacketAlert flags field. Here is the relevant line from alert-unified2-alert.c:

        ret = Unified2PacketTypeAlert(aun, p, event_id,

If either the STATE_MATCH or STREAM_MATCH bit is set, Unified2PacketTypeAlert calls SteamSegmentForEach.

Should suricata be executing Unified2PacketTypeAlert for alert triggered by app-layer-event? 

Should PACKET_ALERT_FLAG_STATE_MATCH be set for DNS app-layer-event when it's trigger by an UDP packet?

Is there an example of an app-layer-event triggered by a UDP packet so I can trace its path? 


More information about the Oisf-devel mailing list