Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [1:2240006:2] SURICATA DNS Z flag set

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 1 Posters 846 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dread
      last edited by

      Hi,

      I'm running Snort in blocking mode on WAN and Suricata on LAN (no blocks). Latest stable pfSense Pro with Unbound as resolver.

      Snort has been running years, Suricata just for some days.

      DNS traffic on WAN is encrypted with TLS, so Snort can't see DNS flags, but the DNS traffic in LAN is not encrypted.

      I get SURICATA DNS Z flag set alerts ( [1:2240006:2] SURICATA DNS Z flag set ) only from that one Android phone. The phone is Samsung and it's running up2date android but the apps are not necessarily up2date.

      I've been trying to figure out this Z flag.

      RFC5395 says: ( https://datatracker.ietf.org/doc/html/rfc5395 )

      'There have been ancient DNS implementations for which the Z bit being on in a query meant that only a response from the primary server for a zone is acceptable. It is believed that current DNS implementations ignore this bit.

      Assigning a meaning to the Z bit requires an IETF Standards Action.'

      Then I read this well written blog post about using DNS to communicate with (malware) command and control server(s):

      https://blog.gigamon.com/2021/01/20/dns-c2-sandwich-a-novel-approach/

      'To track if we’ve received the last message in the stream, we can tag the DNS header with the “z” flag which is typically reserved and intended to be 0. We can keep appending data we receive associated with a given transaction id and not interpret/decode it until we’ve seen that “z”.'

      So my question is, do you usually se this Z flag alert(s) and/or do you think it could be some malware installed on a device? (in my case, one android phone)

      Thanks for your comments!!!

      Ps. If you have further questions for me about this, please remember I won't necessarily answer very quickly if even at all ;) Kind of busy at the moment. Very thankful for your comments anyway!!

      D 1 Reply Last reply Reply Quote 0
      • D
        dread @dread
        last edited by

        @dread said in [1:2240006:2] SURICATA DNS Z flag set:

        So my question is, do you usually see this Z flag alert(s) and/or do you think it could be some malware installed on a device? (in my case, one android phone)

        Anyone? Thanks!!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.