[Oisf-users] lots of UDP packet to small in fast.log

Andreas Herz andi at geekosphere.org
Tue Nov 10 09:41:37 UTC 2015 

What version of suricata do you use?

And which mode do you use? IDS or IPS? The later could explain why a
better ET rule might not match since it got already dropped by the UDP
rule.

On 09/11/15 at 07:49, John Brown wrote:
> Hi,   First I'm trying to sort out why Suricata is "detecting" UDP
> packet to small, when a tcpdump shows
> what appears to be a normal packet.  Maybe tuning wasn't the right word to use.

Do you have a pcap for this? So we can see if there is an issue with the
suricata udp rule?

> Yes, I'm using the current open set of rules from ET

I did not check the whole ruleset if there is a rule for your "attack",
did you find any that should trigger?

> With respects to my second question:
> An attacker will use the victim's IP address as the source IP of a UDP
> DNS packet.
> They will send a query to a nameserver that is open.  They will
> typically do a DNS ANY
> query for a zone that has LOTS of data in it.
> This causes the name server to flood these answers back towards the
> intended victim..
> 
> So I would think that if a rule could be created it would trip on things like:
> High rate of DNS queries to the same dest addr, with the same query / query type
> I would think that asking for ANY of ISC.ORG more than say, 5 times in
> 10 seconds is enough
> 
> 
> 
> On Mon, Nov 9, 2015 at 5:54 AM, Andreas Herz <andi at geekosphere.org> wrote:
> > On 08/11/15 at 22:31, John Brown wrote:
> >> Hi,
> >>
> >> just installed Suricata and I'm noticing that it's logging
> >>
> >> 11/09/2015-05:25:14.685678  [**] [1:2200038:1] SURICATA UDP packet too
> >> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
> >> -> 42.XX.XX.94:0
> >> 11/09/2015-05:25:14.694036  [**] [1:2200038:1] SURICATA UDP packet too
> >> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
> >> -> 42.XX.XX.94:0
> >> 11/09/2015-05:25:15.249368  [**] [1:2200038:1] SURICATA UDP packet too
> >> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
> >> -> 42.XX.XX.94:0
> >>
> >> when I TCP dump these, the are DNS packets that are part of an
> >> amplification attack.
> >>
> >> 1. How do I tune suricata to track these properly ?
> >
> > What do you have in mind with "tune properly"?
> > It's just a rule from decode-events that triggers.
> > So anything special you want to achieve?
> >
> >> 2. Are there rules available that will alert on a DNS Amp attack?
> >
> > What rules do you already use?
> > Do you have a tool with which we could test the attack and see if maybe
> > Emerging Threats rules detect it?
> >
> >> Many thanks for help and pointers.
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> >
> > --
> > Andreas Herz

-- 
Andreas Herz

More information about the Oisf-users mailing list