suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

Fix dns in tcp flow not detected

Open zagge-cgeo opened this issue 1 year ago • 1 comments

This fixes issue 4759. The problem is, that when tcp rules are active in case of a tcp dns connection first the server to client is inspected and nothing found. Afterwards the full flow is marked as processed and therefore the dns query in TCP is not found.

Fixed problems found by fuzzing. Thanks to Jason Ish for the help.

Make sure these boxes are signed before submitting your Pull Request -- thank you.

  • [ x] I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
  • [ x] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/4759

Describe changes: Fixed problems found by fuzzing.

This replaces https://github.com/OISF/suricata/pull/7693

zagge-cgeo avatar Sep 08 '22 04:09 zagge-cgeo

Codecov Report

Merging #7835 (aacaa55) into master (bb2e111) will decrease coverage by 0.12%. The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #7835      +/-   ##
==========================================
- Coverage   76.10%   75.97%   -0.13%     
==========================================
  Files         663      663              
  Lines      185889   185887       -2     
==========================================
- Hits       141467   141231     -236     
- Misses      44422    44656     +234
Flag Coverage Δ
fuzzcorpus 60.79% <ø> (-0.23%) :arrow_down:
suricata-verify 52.51% <ø> (-0.08%) :arrow_down:
unittests 60.70% <ø> (+<0.01%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Sep 08 '22 05:09 codecov[bot]

What is the status with this pull request? Any change to get it merged?

zagge-cgeo avatar Oct 12 '22 10:10 zagge-cgeo

What is the status with this pull request? Any change to get it merged?

Hi! From the label added by Victor, I assume he would like to have a suricata-verify test to go with this. :)

jufajardini avatar Oct 12 '22 11:10 jufajardini

I have created a test for suricata-verify that fails without the patch. What is the way to go forward with the patch?

zagge-cgeo avatar Oct 20 '22 08:10 zagge-cgeo

@zagge-cgeo thanks for your first contribution to our project! :) I asked for some minor changes.

I could not find the suricata-verify test you created for this in https://github.com/OISF/suricata-verify/pulls Could you please make sure the PR is there and add that PR number to the suricata PR description? e.g. #8042 See suricata-verify-pr: ...

As I did not know how this is handled I had not created the PR yet. This is now done you can find it here:

suricata-verify-pr: https://github.com/OISF/suricata-verify/pull/967

I will work on the thing you pointed out and create a new PR.

Thanks for you help.

zagge-cgeo avatar Oct 20 '22 11:10 zagge-cgeo

Replaced by: https://github.com/OISF/suricata/pull/8056

jufajardini avatar Oct 28 '22 12:10 jufajardini