[Oisf-users] What does this message mean?

Cooper F. Nelson cnelson at ucsd.edu
Mon Jun 29 22:30:12 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My current ruleset has the following comment:

> $ head -n2 dns-events.rules
> # Response (answer) we didn't see a Request for. Could be packet loss.
> alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;)

It means there was a response from a DNS server without and associated request.  

This could mean packet loss as described in the comment, or you could be on the receiving end of a DNS amplification DOS.

- -Coop

On 6/29/2015 3:20 PM, James Moe wrote:
> On 06/29/2015 11:01 AM, Andreas Moe wrote:
>> Firstly the rule itself in the suricata rules folder (as defined in
>> the suricata config) will show what this rule will trigger on.
> 
> alert dns any any -> any any (msg:"SURICATA DNS Unsollicited
> response"; flow:to_client; app-layer-event:dns.unsollicited_response;
> sid:2240001; rev:1;)
>   The rule says the same thing as the comment (also misspelled). No
> further info here.
>   The docs say much the same as your post: "Look at the rule; it is so
> informative."
> 
>> Comments are usualy provided [...]
> 
>   Not in this case. Or most other rules that I have read.
>   My questions are:
> - How is this a problem?
> - What kind of attack or intrusion is implied by a (seemingly)
> spurious response?
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVkcb0AAoJEKIFRYQsa8FWMVoH/iQ1L4m/Q21/5vNqqZVIGm78
AnDaTKOKsheMSpx7yxItoz5b9nSZOmx4kiHj715vRHLN5XnAiYNykRc6NIKo7mE4
8oYcXNfzb6092G7giqy9VHThsaJETc55yqobV61gdlJzX2HSERXD4/G0hWB6ACm8
jsJ0rNlhJco5OTVO1h/1aTXSitu3sSKWgkW0XW1jesQ3sDnWiFgiahdQG52nDHQr
JNq1KA2a59uwFPxTNpyu9/njnFDuRIgLr1R3I1bNRPCUKIQEdVufrG9OvGUratZD
wwpKUJJuf8q9Yz0TP+oa1OeTcz5uQLaQyxty3tH65Biic8cM1smG89qqvUH7R7M=
=vOn9
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list