From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 3/3] Suricata: detect DNS events on port 853, too
Date: Fri, 08 Feb 2019 12:51:56 +0000
Message-ID: <A971BCD3-AB8B-4E42-B3F4-E3D9CA3A7B5A@ipfire.org>
In-Reply-To: <810148a0d8ba79e29be7e980d7a1eb4dc7aa89eb.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8298106809436001069=="
List-Id: <development.lists.ipfire.org>

--===============8298106809436001069==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Do we expect any plain DNS traffic on this port?

I am not sure if any rules would match the TLS traffic here.

> On 7 Feb 2019, at 20:34, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Merged.
> 
> Best regards,
> 
> -Stefan
>> As DNS over TLS popularity is increasing, port 853 becomes
>> more interesting for an attacker as a bypass method. Enabling
>> this port for DNS monitoring makes sense in order to avoid
>> unusual activity (non-DNS traffic) as well as "normal" DNS
>> attacks.
>> 
>> Partially fixes #11808
>> 
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
>> ---
>> config/suricata/suricata.yaml | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>> 
>> diff --git a/config/suricata/suricata.yaml
>> b/config/suricata/suricata.yaml
>> index d7302788c..67b9e8a7d 100644
>> --- a/config/suricata/suricata.yaml
>> +++ b/config/suricata/suricata.yaml
>> @@ -208,11 +208,11 @@ app-layer:
>>       tcp:
>>         enabled: yes
>>         detection-ports:
>> -          dp: 53
>> +          dp: "[53,853]"
>>       udp:
>>         enabled: yes
>>         detection-ports:
>> -          dp: 53
>> +          dp: "[53,853]"
>>     http:
>>       enabled: yes
>>       # memcap: 64mb


--===============8298106809436001069==--