I am new to Suricata and I am currently having a problem with the log output of my IDS. It appears that whenever any sort of query is made, the query and response appear. But what is supposed to be the response back to the query shows the incorrect source IP address. The response packet would show the same source IP address as the original query (picture for reference, source IP was marked as 123.123.123.123 for privacy). The photo provided was a nslookup via a PC on my network for cnn.com using quad9 DNS.
The current setup is suricata IDS on an ubuntu server getting traffic mirrored from a switch that sits in between the core network and the edge network. All traffic from the core side and the edge side connect to the same switch via their own interface. There is just one mirror interface on that same switch that connects to the IDS server which then suricata reads via af-packet.
Please let me know if anyone has any further questions, thank you for taking the time to read this.
Just wanted to add that there are three events associated with the same flow. The following screenshots hopefully provide more information. There are two pictures so I will attach the next following picture in the reply thread below.
Aren’t dns events always oriented in the direction of the original query? If I remember correctly that’s how it works. Suricata logs transactions, not packets. So you would see two events per lookup, with the same flow ID, src/dst IP, src/dst ports, but with different types and answers present only in one of them.
For DNS the source IP address is always the originator of the request. Even for the response event. However this is confusing and there is an open ticket to discuss this:
Other protocols that log each direction is discrete events may have this behavior as well, so its something we would want to be consistent about.
