[Oisf-users] "app-layer-protocol:DNS" not working.

Amin Saba amn.brhm.sb at gmail.com
Tue Dec 19 13:14:56 UTC 2017

I have the following ruleset which is supposed to drop all traffic except
udp DNS.
I send traffic to this suricata instance via a divert socket (in FreeBSD).

pass udp any any -> any any (msg:"Allow DNS"; app-layer-protocol:dns;
pass icmp  any any -> any any (msg:"Allow ICMP"; flow:established;
itype:>0; sid:22710041; rev:1;)
drop ip  any any -> any any (msg:"Illegal traffic."; sid:22710042; rev:1;)

Suricata drops all dns request traffic with the alert log of the last rule.

Can you please help me with this issue?
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171219/f40ea5d3/attachment.html>

More information about the Oisf-users mailing list