-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathdns_rules_tests_expected_results.txt
75 lines (60 loc) · 6.16 KB
/
dns_rules_tests_expected_results.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
########## INVALID_TRAFFIC ##########
### dns_caa_records.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-11:40:50.796373 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {TCP} 9.9.9.9:53 -> 193.24.227.230:49730
07/28/2020-11:40:53.362696 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {TCP} 9.9.9.9:53 -> 193.24.227.230:33123
07/28/2020-11:42:07.137916 [**] [1:2020119011:1] Potential DNS heap overflow exploit (CVE-2020-11901, variant 1) [**] [Classification: (null)] [Priority: 3] {UDP} 9.9.9.9:53 -> 193.24.227.230:60519
07/28/2020-11:42:51.497596 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {TCP} 2620:00fe:0000:0000:0000:0000:0000:00fe:53 -> 2001:0470:765b:0000:0000:0000:0b15:0022:41446
07/28/2020-11:42:52.147922 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {TCP} 2620:00fe:0000:0000:0000:0000:0000:00fe:53 -> 2001:0470:765b:0000:0000:0000:0b15:0022:41446
07/28/2020-11:42:53.442988 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {TCP} 2620:00fe:0000:0000:0000:0000:0000:00fe:53 -> 2001:0470:765b:0000:0000:0000:0b15:0022:58414
07/28/2020-11:44:32.326105 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {UDP} 2620:00fe:0000:0000:0000:0000:0000:00fe:53 -> 2001:0470:765b:0000:0000:0000:0b15:0022:44840
07/28/2020-11:44:32.326105 [**] [1:2020119011:1] Potential DNS heap overflow exploit (CVE-2020-11901, variant 1) [**] [Classification: (null)] [Priority: 3] {UDP} 2620:00fe:0000:0000:0000:0000:0000:00fe:53 -> 2001:0470:765b:0000:0000:0000:0b15:0022:44840
### dns_hip_invalid_character.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-11:50:01.734227 [**] [1:2020119013:1] DNS response contains invalid domain name [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.117.147:53 -> 192.168.117.1:59179
### dns_long_cname.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-11:54:03.277891 [**] [1:2020119013:1] DNS response contains invalid domain name [**] [Classification: (null)] [Priority: 3] {UDP} 216.49.88.14:53 -> 63.194.190.164:47946
### dns_over_tcp.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-11:54:44.861630 [**] [1:2020119015:1] DNS over TCP packet too large [**] [Classification: (null)] [Priority: 3] {TCP} 216.49.88.14:53 -> 208.84.240.203:38824
### dns_over_udp_with_edns.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-11:55:52.159035 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.117.147:53 -> 192.168.117.1:56772
07/28/2020-11:55:52.159035 [**] [1:2020119011:1] Potential DNS heap overflow exploit (CVE-2020-11901, variant 1) [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.117.147:53 -> 192.168.117.1:56772
07/28/2020-11:55:52.159035 [**] [1:2020119013:1] DNS response contains invalid domain name [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.117.147:53 -> 192.168.117.1:56772
### dns_over_udp_with_edns_5000_bytes.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-11:58:11.506358 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.117.147:53 -> 192.168.117.1:49603
07/28/2020-11:58:11.506358 [**] [1:2020119011:1] Potential DNS heap overflow exploit (CVE-2020-11901, variant 1) [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.117.147:53 -> 192.168.117.1:49603
07/28/2020-11:58:11.506358 [**] [1:2020119013:1] DNS response contains invalid domain name [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.117.147:53 -> 192.168.117.1:49603
### dns_variant_1.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-11:59:44.800633 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {UDP} 172.16.139.135:53 -> 172.16.139.135:33058
07/28/2020-11:59:44.800633 [**] [1:2020119011:1] Potential DNS heap overflow exploit (CVE-2020-11901, variant 1) [**] [Classification: (null)] [Priority: 3] {UDP} 172.16.139.135:53 -> 172.16.139.135:33058
07/28/2020-11:59:44.800633 [**] [1:2020119013:1] DNS response contains invalid domain name [**] [Classification: (null)] [Priority: 3] {UDP} 172.16.139.135:53 -> 172.16.139.135:33058
### dns_variant_2.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-12:00:43.252053 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {UDP} 172.16.139.135:53 -> 172.16.139.135:33058
07/28/2020-12:00:43.252053 [**] [1:2020119011:1] Potential DNS heap overflow exploit (CVE-2020-11901, variant 1) [**] [Classification: (null)] [Priority: 3] {UDP} 172.16.139.135:53 -> 172.16.139.135:33058
07/28/2020-12:00:43.252053 [**] [1:2020119012:1] Potential DNS heap overflow exploit (CVE-2020-11901, variant 2) [**] [Classification: (null)] [Priority: 3] {UDP} 172.16.139.135:53 -> 172.16.139.135:33058
########## VALID TRAFFIC ##########
### dns_cname_records.pcap
$ grep DNS /var/log/suricata/fast.log
<EMPTY>
### dns_high_pointer_count.pcap
$ grep DNS /var/log/suricata/fast.log
<EMPTY>
### dns_over_tcp.pcap
$ grep DNS /var/log/suricata/fast.log
<EMPTY>
### dns_over_udp_with_edns.pcap
$ grep DNS /var/log/suricata/fast.log
<EMPTY>
### dns_over_udp_without_edns.pcap
$ grep DNS /var/log/suricata/fast.log
<EMPTY>
### mcafee_dns_traffic.pcap
$ grep DNS /var/log/suricata/fast.log
07/28/2020-12:08:22.639679 [**] [1:2020119014:1] DNS packet too large [**] [Classification: (null)] [Priority: 3] {UDP} 216.49.88.14:53 -> 23.100.76.172:63562
07/28/2020-12:08:48.560316 [**] [1:2020119013:1] DNS response contains invalid domain name [**] [Classification: (null)] [Priority: 3] {UDP} 216.49.88.14:53 -> 74.125.43.66:37760 07/28/2020-12:09:23.261047 [**] [1:2020119013:1] DNS response contains invalid domain name [**] [Classification: (null)] [Priority: 3] {UDP} 216.49.88.14:53 -> 192.241.208.98:5606 07/28/2020-12:09:33.489360 [**] [1:2020119013:1] DNS response contains invalid domain name [**] [Classification: (null)] [Priority: 3] {UDP} 216.49.88.14:53 -> 138.68.208.49:49049