[Oisf-users] "app-layer-protocol:DNS" not working.

Nick Price nick at spun.io
Tue Dec 19 14:07:49 UTC 2017


Try changing the final rule to

drop ip any any -> any any (msg:"Illegal traffic."; app-layer-protocol:!dns; sid:22710042; rev:1;)

> On Dec 19, 2017, at 8:14 AM, Amin Saba <amn.brhm.sb at gmail.com> wrote:
> 
> I have the following ruleset which is supposed to drop all traffic except udp DNS.
> I send traffic to this suricata instance via a divert socket (in FreeBSD).
> 
> pass udp any any -> any any (msg:"Allow DNS"; app-layer-protocol:dns; sid:22710040;)
> pass icmp  any any -> any any (msg:"Allow ICMP"; flow:established; itype:>0; sid:22710041; rev:1;)
> drop ip  any any -> any any (msg:"Illegal traffic."; sid:22710042; rev:1;)
> 
> Suricata drops all dns request traffic with the alert log of the last rule.
> 
> Can you please help me with this issue?
> Thanks in advance.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/




More information about the Oisf-users mailing list