Suricata: detect DNS events on port 853, too

As DNS over TLS popularity is increasing, port 853 becomes
more interesting for an attacker as a bypass method. Enabling
this port for DNS monitoring makes sense in order to avoid
unusual activity (non-DNS traffic) as well as "normal" DNS
attacks.

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index d7302788cc11ab88b0c26205424f50812cd40b47..67b9e8a7d2357d8ac86dcd1605f704e4cce3a1d9 100644 (file)
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -208,11 +208,11 @@ app-layer:
       tcp:
         enabled: yes
         detection-ports:
-          dp: 53
+          dp: "[53,853]"
       udp:
         enabled: yes
         detection-ports:
-          dp: 53
+          dp: "[53,853]"
     http:
       enabled: yes
       # memcap: 64mb