No DNS alert when protocol is TCP

[Carlos-mb]

Hi all!

I'd like so much your help to understand why this alert is generated in one circumstance and not in other.

I can see in the dashboard this event:

@timestamp 2024-09-26T06:25:08.312Z
@Version 1
client.ip 10.1.100.51
client.port 60874
container.id dns.log
data_stream.dataset zeek
data_stream.namespace so
data_stream.type logs
destination.geo.continent_name North America
destination.geo.country_iso_code US
destination.geo.country_name United States
destination.geo.ip 8.8.8.8
destination.geo.location.lat 37.751
destination.geo.location.lon -97.822
destination.geo.timezone America/Chicago
destination.ip 8.8.8.8
destination.port 53
destination_geo.asn 15169
destination_geo.ip 8.8.8.8
destination_geo.network 8.8.8.0/24
destination_geo.organization_name GOOGLE
dns.answers.name [
"34.117.59.81"
]
dns.authoritative false
dns.highest_registered_domain ipinfo.io
dns.id 53784
dns.parent_domain ipinfo
dns.parent_domain_length 6
dns.query.class 1
dns.query.class_name C_INTERNET
dns.query.length 9
dns.query.name ipinfo.io
dns.query.rejected false
dns.query.type 1
dns.query.type_name A
dns.recursion.available true
dns.recursion.desired true
dns.reserved 0
dns.response.code 0
dns.response.code_name NOERROR
dns.top_level_domain io
dns.truncated false
dns.ttls [ 49]
ecs.version 8.0.0
elastic_agent.id 4a0cb520-ca78-40e9-b66e-90f2de36ad30
elastic_agent.snapshot false
elastic_agent.version 8.10.4
event.category network
event.dataset zeek.dns
event.duration 0.00477290153503418
event.ingested 2024-09-26T06:25:09.860Z
event.module zeek
input.type log
log.file.path /nsm/zeek/logs/current/dns.log
log.id.uid CTLwA199ELJSuRBMj
log.offset 10350889
message {"ts":1727331908.312627,"uid":"CTLwA199ELJSuRBMj","id.orig_h":"10.1.100.51","id.orig_p":60874,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","trans_id":53784,"rtt":0.00477290153503418,"query":"ipinfo.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["34.117.59.81"],"TTLs":[49.0],"rejected":false}

metadata.beat filebeat
metadata.input.beats.host.ip 10.1.82.100
metadata.input_id logfile-logs-zeek-logs
metadata.pipeline zeek.dns
metadata.raw_index logs-zeek-so
metadata.stream_id logfile-log.logs-zeek-logs
metadata.type _doc
metadata.version 8.10.4
network.community_id 1:+fZHWkfe5Y1Nl657JLMMV7nBpy4=
network.transport udp
observer.name sv-xxxxxx
pipeline dns
server.ip 8.8.8.8
server.port 53
source.ip 10.1.100.51
source.port 60874
tags [
"elastic-agent",
"input-sv-xxxxxxx",
"beats_input_codec_plain_applied",
"dns"
]
soc_id 2WwBLZIBLSa1K9HLSXd7
soc_score 10.0261345
soc_type
soc_timestamp 2024-09-26T06:25:08.312Z
soc_source sv-xxxxxx:.ds-logs-zeek-so-2024.08.29-000001

And this alert:

@timestamp 2024-09-26T06:25:08.312Z
@Version 1
data_stream.dataset suricata
data_stream.namespace so
data_stream.type logs
destination.geo.continent_name North America
destination.geo.country_iso_code US
destination.geo.country_name United States
destination.geo.ip 8.8.8.8
destination.geo.location.lat 37.751
destination.geo.location.lon -97.822
destination.geo.timezone America/Chicago
destination.ip 8.8.8.8
destination.port 53
destination_geo.asn 15169
destination_geo.ip 8.8.8.8
destination_geo.network 8.8.8.0/24
destination_geo.organization_name GOOGLE
ecs.version 8.0.0
elastic_agent.id 4a0cb520-ca78-40e9-b66e-90f2de36ad30
elastic_agent.snapshot false
elastic_agent.version 8.10.4
event.category network
event.dataset suricata.alert
event.ingested 2024-09-26T06:25:15.991Z
event.module suricata
event.severity 2
event.severity_label medium
input.type log
log.file.path /nsm/suricata/eve-2024-09-26-05:51.json
log.id.uid 1342726876629227
log.offset 1246133
message {"timestamp":"2024-09-26T06:25:08.312627+0000","flow_id":1342726876629227,"in_iface":"bond0","event_type":"alert","vlan":[1],"src_ip":"10.1.100.51","src_port":60874,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","community_id":"1:+fZHWkfe5Y1Nl657JLMMV7nBpy4=","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2054168,"rev":1,"signature":"ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)","category":"Device Retrieving External IP Address Detected","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_and_Server"],"confidence":["High"],"created_at":["2024_06_28"],"deployment":["Perimeter"],"performance_impact":["Low"],"signature_severity":["Informational"],"tag":["External_IP_Lookup"],"updated_at":["2024_06_28"]},"rule":"alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)"; dns.query; bsize:9; content:"ipinfo.io"; nocase; reference:url,github.com/chubin/awesome-console-services; classtype:external-ip-check; sid:2054168; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2024_06_28, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, tag External_IP_Lookup, updated_at 2024_06_28;)"},"app_proto":"dns","direction":"to_server","payload_printable":".............ipinfo.io.......)........","stream":0,"packet":"AABeAAEBkLEcN2IqgQAAAQgARQAAQuUUAACAEddSCgFkMwgICAjtygA1AC7wv9IYAQAAAQAAAAAAAQZpcGluZm8CaW8AAAEAAQAAKQ+gAAAAAAAA","packet_info":{"linktype":1}}
metadata.beat filebeat
metadata.input.beats.host.ip 10.1.82.100
metadata.input_id logfile-logs-3c2f526b-bce7-494c-95fd-f3f8d5b73dbd
metadata.pipeline suricata.common
metadata.raw_index logs-suricata-so
metadata.stream_id logfile-log.logs-3c2f526b-bce7-494c-95fd-f3f8d5b73dbd
metadata.type _doc
metadata.version 8.10.4
network.community_id 1:+fZHWkfe5Y1Nl657JLMMV7nBpy4=
network.data.decoded .............ipinfo.io.......)........
network.packet_source wire/pcap
network.transport UDP
network.vlan.id [ 1]
observer.ingress.interface.name bond0
observer.name sv-xxxxxxx
rule.action allowed
rule.category Device Retrieving External IP Address Detected
rule.gid 1
rule.metadata.affected_product [ "Any"]
rule.metadata.attack_target [ "Client_and_Server"]
rule.metadata.confidence [ "High"]
rule.metadata.created_at [ "2024_06_28"]
rule.metadata.deployment [ "Perimeter"]
rule.metadata.performance_impact [ "Low"]
rule.metadata.signature_severity [ "Informational"]
rule.metadata.tag [ "External_IP_Lookup"]
rule.metadata.updated_at [ "2024_06_28"]
rule.name ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
rule.reference https://community.emergingthreats.net
rule.rev 1
rule.rule alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)"; dns.query; bsize:9; content:"ipinfo.io"; nocase; reference:url,github.com/chubin/awesome-console-services; classtype:external-ip-check; sid:2054168; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2024_06_28, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, tag External_IP_Lookup, updated_at 2024_06_28;)
rule.ruleset Emerging Threats
rule.severity 2
rule.uuid 2054168
source.ip 10.1.100.51
source.port 60874
tags [ "alert",
"alert"]
soc_id dWwBLZIBLSa1K9HLY3nn
soc_score 2
soc_type
soc_timestamp 2024-09-26T06:25:08.312Z
soc_source sv-xxx:.ds-logs-suricata.alerts-so-2024.09.26-000028

I can see this other event. It's not generating any alert. That is (to my eyes) exactly the same, only changes the IP, port and it's using TCP instead of UDP:

@timestamp 2024-09-26T06:27:45.235Z
@Version 1
client.ip 10.1.80.84
client.port 59333
container.id dns.log
data_stream.dataset zeek
data_stream.namespace so
data_stream.type logs
destination.geo.continent_name North America
destination.geo.country_iso_code US
destination.geo.country_name United States
destination.geo.ip 8.8.8.8
destination.geo.location.lat 37.751
destination.geo.location.lon -97.822
destination.geo.timezone America/Chicago
destination.ip 8.8.8.8
destination.port 53
destination_geo.asn 15169
destination_geo.ip 8.8.8.8
destination_geo.network 8.8.8.0/24
destination_geo.organization_name GOOGLE
dns.answers.name [ "34.117.59.81"]
dns.authoritative false
dns.highest_registered_domain ipinfo.io
dns.id 40264
dns.parent_domain ipinfo
dns.parent_domain_length 6
dns.query.class 1
dns.query.class_name C_INTERNET
dns.query.length 9
dns.query.name ipinfo.io
dns.query.rejected false
dns.query.type 1
dns.query.type_name A
dns.recursion.available true
dns.recursion.desired true
dns.reserved 0
dns.response.code 0
dns.response.code_name NOERROR
dns.top_level_domain io
dns.truncated false
dns.ttls [ 33]
ecs.version 8.0.0
elastic_agent.id 4a0cb520-ca78-40e9-b66e-90f2de36ad30
elastic_agent.snapshot false
elastic_agent.version 8.10.4
event.category network
event.dataset zeek.dns
event.duration 0.004307985305786133
event.ingested 2024-09-26T06:27:47.036Z
event.module zeek
input.type log
log.file.path /nsm/zeek/logs/current/dns.log
log.id.uid CAPymf4J84E5cW0dp8
log.offset 11742813
message {"ts":1727332065.235076,"uid":"CAPymf4J84E5cW0dp8","id.orig_h":"10.1.80.84","id.orig_p":59333,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"tcp","trans_id":40264,"rtt":0.004307985305786133,"query":"ipinfo.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["34.117.59.81"],"TTLs":[33.0],"rejected":false}
metadata.beat filebeat
metadata.input.beats.host.ip 10.1.82.100
metadata.input_id logfile-logs-zeek-logs
metadata.pipeline zeek.dns
metadata.raw_index logs-zeek-so
metadata.stream_id logfile-log.logs-zeek-logs
metadata.type _doc
metadata.version 8.10.4
network.community_id 1:KU/qz7AiOBS7REm5Wz8m5hmcszM=
network.transport tcp
observer.name sv-xxxxxxx
pipeline dns
server.ip 8.8.8.8
server.port 53
source.ip 10.1.80.84
source.port 59333
tags [ "elastic-agent",
"input-sv-xxxxxxx", "beats_input_codec_plain_applied",
"dns"]
soc_id B2wDLZIBLSa1K9HLrqpJ
soc_score 10.060717
soc_type
soc_timestamp 2024-09-26T06:27:45.235Z
soc_source sv-xxxxxxx:.ds-logs-zeek-so-2024.08.29-000001

EDIT: The HOME_NET is 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

I have found this bug report un Suricata, but it's supposed to be already fixed. DNS rules not matching when traffic is over tcp

Does anyone be able to figure out why the second event is not generating the same alert than first event?

I got a lot of examples like this. Only DNS events from first IP by UDP generates the alerts. Al the DNS request from other IPs asking for the same domain does not generate alerts.

The first one is a DNS server and the others are PC.

I'll thank so much your opinions.

Regards
Carlos