[Oisf-users] Turn off flow tracking?

Michael J. Sheldon msheldon at godaddy.com
Fri Jan 6 20:17:57 UTC 2017

I have definitely considered converting the rule to be udp packet rather than dns

drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config sourcenetwork filter test"; flow:to_server; pcre:"/example.com/i"; nocase; sid:3110039;)

Will not work, since the domain name is encoded. Probably need to be something like:
drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config sourcenetwork filter test"; flow:to_server; pcre:"/\07example\03com/i"; nocase; sid:3110039;)

I had been looking at:
drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config sourcenetwork filter test"; flow:to_server;content:"|07|example|03|com"; nocase; sid:3110039;)

At this point, it begs the question, do I even need to turn the dns protocol filter on?

Michael Sheldon
Dev-DNS Services

From: lists at ish.cx <lists at ish.cx> on behalf of Jason Ish <lists at unx.ca>
Sent: Friday, January 6, 2017 12:57
To: Michael J. Sheldon
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Turn off flow tracking?

On Fri, Jan 6, 2017 at 12:45 PM, Michael J. Sheldon <msheldon at godaddy.com<mailto:msheldon at godaddy.com>> wrote:
Suricata 3.1.3 Running in IPS mode

Is it possible to tell Suricata to NOT do flow tracking for UDP?
We use suricata for DNS traffic, and flow tracking is quite frankly useless, as there are no true flows with DNS UDP

On top of that, it appears that somehow, some folks are bypassing the rules by flooding from the same IP:port.

You can see from the below log, that the same source/port was sending the same request repeatedly. I have a drop rule in place, but when the tx_id reaches 501, it stops blocking, and the traffic goes through. The flow_id is the same for every request. There are identical chains in the log for different ip:port combinations.

So effectively, instead of blocking the source address completely, I only end up blocking the first 501 requests. A new source will get blocked, but again, only for 501 requests.

I think this is an issue we need to look into further, but in the meantime there might be a work-around.

In your suricata.yaml, under app-layer.dns, change "yes" to "detection-only" like:

        enabled: detection-only
          dp: 53
        enabled: detection-only
          dp: 53

drop dns $EXTERNAL_NET any -> $INTERNAL_NET $DNS_PORTS (msg:"DROP Config sourcenetwork filter test"; dns_query; content:"example.com<http://example.com>"; nocase; sid:3110039;)

Then you'll also need to change your rule to a more generic rule such as:

drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config sourcenetwork filter test"; flow:to_server; pcre:"/example.com<http://example.com/>/i"; nocase; sid:3110039;)

Anyways, I know its not the answer you are likely looking for, and I will be looking into it further. And in the mean time maybe someone else will have a better suggestion?


More information about the Oisf-users mailing list