[Oisf-devel] FP on new Suricata git dns decoder

rmkml rmkml at yahoo.fr
Fri Jul 5 20:32:25 UTC 2013 

Hi,

Congrats for hard work on new git (yesterday) dns decoder,

but I have FP with it :

Joigned pcap file,

suricata-git4jul2013 -c suricata.yaml_dns -r suricatafpdnsdecoder.pcap
(only dns-events.rules and enabled dns log)

FP on log/fast.log:
07/04/2013-21:47:51.585903  [**] [1:2240006:1] SURICATA DNS Z flag set [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903  [**] [1:2240005:1] SURICATA DNS Not a response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903  [**] [1:2240001:1] SURICATA DNS Unsollicited response [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.42.129:53 -> 192.168.42.150:55597

more log/dns.log:
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] static.programme-tv.net [**] CNAME [**] TTL 630 [**] programme-tv.net.edgesuite.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] programme-tv.net.edgesuite.net [**] CNAME [**] TTL 20432 [**] a1859.g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597
07/04/2013-21:47:51.585903 [**] Response TX 64b7 [**] g.akamai.net [**] SOA [**] TTL 1000 [**] n0g.akamai.net [**] 192.168.42.129:53 -> 192.168.42.150:55597

tshark output:
   1 21:47:51.442123 192.168.42.150 -> 192.168.42.129 DNS Standard query 0xe71d  A static.programme-tv.net
   2 21:47:51.442148 192.168.42.150 -> 192.168.42.129 DNS Standard query 0x64b7  AAAA static.programme-tv.net
   3 21:47:51.585903 192.168.42.129 -> 192.168.42.150 DNS Standard query response 0xe71d  CNAME programme-tv.net.edgesuite.net CNAME a1859.g.akamai.net A 90.84.55.48 A 90.84.55.64
   4 21:47:51.592983 192.168.42.129 -> 192.168.42.150 DNS Standard query response 0x64b7  CNAME programme-tv.net.edgesuite.net CNAME a1859.g.akamai.net

07/04/2013-21:47:51.585903 contains dns standard query response without DNS Z flag set.

Anyone check please ?
if confirm I open a new redmine ticket

Regards
@Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatafpdnsdecoder.pcap
Type: application/vnd.tcpdump.pcap
Size: 653 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130705/811ed948/attachment.bin>

More information about the Oisf-devel mailing list