From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/3] Suricata: detect DNS events on port 853, too
Date: Thu, 07 Feb 2019 17:47:00 +0000
Message-ID: <35331b2c-281e-f72f-fdd9-de8bfa592717@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7260132759172606402=="
List-Id: <development.lists.ipfire.org>

--===============7260132759172606402==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

As DNS over TLS popularity is increasing, port 853 becomes
more interesting for an attacker as a bypass method. Enabling
this port for DNS monitoring makes sense in order to avoid
unusual activity (non-DNS traffic) as well as "normal" DNS
attacks.

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/suricata/suricata.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index d7302788c..67b9e8a7d 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -208,11 +208,11 @@ app-layer:
       tcp:
         enabled: yes
         detection-ports:
-          dp: 53
+          dp: "[53,853]"
       udp:
         enabled: yes
         detection-ports:
-          dp: 53
+          dp: "[53,853]"
     http:
       enabled: yes
       # memcap: 64mb
-- 
2.16.4

--===============7260132759172606402==--