[Oisf-users] lots of UDP packet to small in fast.log

John Brown john at citylinkfiber.com
Mon Nov 9 14:49:47 UTC 2015 

Hi,   First I'm trying to sort out why Suricata is "detecting" UDP
packet to small, when a tcpdump shows
what appears to be a normal packet.  Maybe tuning wasn't the right word to use.

Yes, I'm using the current open set of rules from ET

With respects to my second question:
An attacker will use the victim's IP address as the source IP of a UDP
DNS packet.
They will send a query to a nameserver that is open.  They will
typically do a DNS ANY
query for a zone that has LOTS of data in it.
This causes the name server to flood these answers back towards the
intended victim..

So I would think that if a rule could be created it would trip on things like:
High rate of DNS queries to the same dest addr, with the same query / query type
I would think that asking for ANY of ISC.ORG more than say, 5 times in
10 seconds is enough



On Mon, Nov 9, 2015 at 5:54 AM, Andreas Herz <andi at geekosphere.org> wrote:
> On 08/11/15 at 22:31, John Brown wrote:
>> Hi,
>>
>> just installed Suricata and I'm noticing that it's logging
>>
>> 11/09/2015-05:25:14.685678  [**] [1:2200038:1] SURICATA UDP packet too
>> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
>> -> 42.XX.XX.94:0
>> 11/09/2015-05:25:14.694036  [**] [1:2200038:1] SURICATA UDP packet too
>> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
>> -> 42.XX.XX.94:0
>> 11/09/2015-05:25:15.249368  [**] [1:2200038:1] SURICATA UDP packet too
>> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
>> -> 42.XX.XX.94:0
>>
>> when I TCP dump these, the are DNS packets that are part of an
>> amplification attack.
>>
>> 1. How do I tune suricata to track these properly ?
>
> What do you have in mind with "tune properly"?
> It's just a rule from decode-events that triggers.
> So anything special you want to achieve?
>
>> 2. Are there rules available that will alert on a DNS Amp attack?
>
> What rules do you already use?
> Do you have a tool with which we could test the attack and see if maybe
> Emerging Threats rules detect it?
>
>> Many thanks for help and pointers.
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
> --
> Andreas Herz

More information about the Oisf-users mailing list