[Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port

Konstantin Klinger konstantinklinger at mailbox.org
Sun Jan 5 12:34:52 UTC 2020


Hi Carlos,

could you please share your suricata.yaml and additional a sample pcap of your dns over tls traffic via port 853 if it is possible? If you would not like to share it publicly, but with with, I've attached my PGP key.

Thanks,

Konstantin

> On January 5, 2020 at 1:08 PM Carlos Lopez <clopmz at outlook.com> wrote:
> 
> 
>     Hi all,
> 
>      
> 
>     I have a DNS cache server based in unbound redirecting all external queries to CloudFlare’s DNS servers via DNS over TLS and as I indicated in the subject, a lot of alerts are triggered as  “SURICATA TLS on unusual port”.
> 
>      
> 
>     I have tried to inform to our Suricata sensors via “app-layer,tls,dp” port 853 is a valid TLS port without luck … I have checked any TLS variable for Suricata without result.
> 
>      
> 
>     Then how to inform Suricata port 853 as a valid port TLS?
> 
>      
> 
>      
> 
>     -- 
> 
>     Regards,
> 
>     C. L. Martinez
> 
>     _______________________________________________
>     Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>     Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>     List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
>     Conference: https://suricon.net
>     Trainings: https://suricata-ids.org/training/
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200105/44da968d/attachment.html>
-------------- next part --------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.60

mQENBF0Z7sMBCAC/m6DXzsXNshpwnQCl5/9rP3/jE76kMj/dNDtZXqaigAqFnQxp
WBIpS/DTmew/gm3SfD8XQezP7DaKwLy48UcM5T0oBxC5BR61R2fKfzpefAALPdI9
G3XZ+ppFWBltJRtN466kQZ/DRrOi5WNsKPxRfjTKqD4m48uqpNWrzVpXBFRLEfwV
yM4xVs/GQdB/8IXdPjJJ597qPN+pEFF1aH3s6NJibUMrFpc1cwgNxhXGClXp/MGG
g7Gk+FDTD+VR3RRjoEwviTvDdzHpnI4JFw+VKo/hrbNUl6c2lNVI+W12nkF1h8lA
5NLjCVsuWvRBsO3IFu0UhQQepWkuqtd9CsbTABEBAAG0MktvbnN0YW50aW4gS2xp
bmdlciA8a29uc3RhbnRpbmtsaW5nZXJAbWFpbGJveC5vcmc+iQE6BBMBAgAkBQJd
Ge7DAhsDBAsJCAcGFQoJCAsCBRYCAwEAAp4BBQkSzAMAAAoJEEtFkuNtrJjTPAcH
/23Fj7kaAuKdOLNiY4Q3yCnQe/DF3xnM9UK0CcJrHtUHAJ2SMClwHnYLYaefHceA
kmuTQ0dd6RrSPrz4lEtdoLhjbGeMxcwER66A/jCH94GxVi0REMKy0gL5xB2sBaBO
INhF5pB1fcBFBU4ChlumWPaGWqzOo/RayjzuSun/7Lrt0m2NpWgE26T4LDXCTsjJ
Aq9WnV6UV+5L0bIiX7rBy5XCCBLG+fsE5Aw4VyREGOZGB7VRmZNBo4ttRB6JFvqi
EWCqVK/Sc8tkIQ18Z8++fl0bTfB7lyD/t/k+HRNOGy740PDgT51BNw78BvquqCpR
2lVtIRV9p+MreiapzQhNAru5AQ0EXRnuwwEIAJLkcwNU307A94QxsyekKP/M6zWl
UzuA0o6gQCcX4PV/HZV1CXdHa/txOec6VNKtSw+SrDFuWTI57XhwJdPAbsC8rrbX
TGR7pRAdrtcUMJoRrW8PQdF+PFs+WOoXKyM3p9DUQfwET1N5GmhHgoJO8Lg9ZVms
qQHpev8AHqemw0dFUbWJ9ps5dkOJegJrYeh8O4+Ow2ThL6ZBtX+Wufym4oU+dQ1l
W9GUC51ekjSSq8kKKPUSQaLz4r+sQGcLXbN4cD5+9nd+sw3bskeKOLtipAQ0DG+l
Z5/2cBadOT8ssgQqCxioZG8kYe8+HbtalIKu7juFCSS6duKYsRrtCTmhOn0AEQEA
AYkBOgQYAQIAJAUCXRnuwwIbDAQLCQgHBhUKCQgLAgUWAgMBAAKeAQUJEswDAAAK
CRBLRZLjbayY0/dZB/4y2yQd3BAn5BBZTydJvdaMRuHIhEpng5mzMPlY2edCSOkS
ggVYZtZADT2YE7MPuiUI5rctQ5k3e84ZWI5wZ3O8LAG/VjYgJPXWtqjJeqOGhpGG
1SFApV8wDxS41vHVIj/JV1jFDKwHbY2FBUqcWLt6OjHl8qe0TPfVnmMx5jxdlQA9
BQ183oaR/O51I+A60d0RygYqplCgWBJQy+o3xoz0fSOzd9AF06zfexzQwoYvcVi0
pu0Il1PLKmVk3zEkYlO6akchDh7bshioOitKvaQUeWaNPI5Gs7YzR71sW/KC82DD
VgnNYsfZHGOsKOOzlS/KzzTW33Jsj3XxLYTWPpJK
=2w6e
-----END PGP PUBLIC KEY BLOCK-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200105/44da968d/attachment.sig>


More information about the Oisf-users mailing list