Project

General

Profile

Actions
Copy link

Feature #3074

closed

DNS full domain matching within the dns_query buffer

Added by James Emery-Callcott almost 5 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
5.0rc1
Effort:
Difficulty:
Label:

Description

Hey folks,

There have been a few scenarios in which the following pcre has been applied to a rule -> "/(?:^|\.)google.com$/" and I was curious to know if we can make this a keyword for DNS signatures.

The idea behind this is that when we have a domain, ex. 'google.com', we want to match on either 'google.com' or 'subdomain.google.com' but not something such as 'agoogle.com'.

Example rule structure with the new keyword:

dns_query; content:"google.com"; full_domain; pcre:"/(?:^|\.)google.com$/";

google.com - Match
hello.google.com - Match
hey.agoogle.com - No match
agoogle.com - No match

Files

Screenshot from 2019-07-30 14-17-37.png (80.5 KB) Screenshot from 2019-07-30 14-17-37.png Peter Manev, 07/30/2019 01:19 PM
Actions
Copy link
 #1

Updated by James Emery-Callcott almost 5 years ago

Edit - ignore the PCRE in the example rule structure, typo on my part.

Actions
Copy link
 #2

Updated by Andreas Herz almost 5 years ago

  • Assignee set to Community Ticket
Actions
Copy link
 #3

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Jeff Lucovsky
  • Target version changed from 5.0beta1 to 5.0rc1

I think this can be easily implemented using the transform API.

Jeff, could you implement 2 transforms:

tld -> this will transform an input buffer of example.com to just com
domain -> this will transform an input buffer of subdomain.example.com to just example.com

The rule would look like:
alert dns any any -> any any (dns.query; tld; content:"com"; sid:1;)
alert http any any -> any any (http.host; domain; content:"example.com"; startswith; sid:2;)

Have a look at the exist transforms for how to use this API: strip_whitespace, to_md5, etc.

Actions
Copy link
 #4

Updated by Jeff Lucovsky almost 5 years ago

The strict definition of a TLD is The right-most label in a domain name is referred to as its "top-level domain" (TLD) [[https://archive.icann.org/en/tlds/]]. These are also referred to as generic TLDs.

Country code TLDs consist of a two letter country abbreviation , e.g., nl and are usually of the form .nl.co but not always (wit www.google.com.au).

The second level domain resides to the left of the TLD (generic or cc): foo.bar.co.jp would produce a domain of bar.co.jp

I suggest that the tld and domain transformation operate as follows:
- Recognize the TLD as the rightmost label.
- Amend the TLD to include the next most rightmost label if it consists of 2 characters.
- The domain is the label to the left of the TLD after these steps.

Examples:
  1. example.com -> tld = com, domain = example.com
  2. google.com.au -> tld = com.au, domain = google.com.au
  3. google.co.uk -> tld = co.uk, domain = google.co.uk
  4. windows.update.microsoft.co.es -> tld = co.es, domain = microsoft.co.es

It was suggested that the TLD could be referred to as the domain_suffix or even dns.suffix.

Actions
Copy link
 #5

Updated by Victor Julien almost 5 years ago

I don't know why I didn't remember this yesterday, but in the NL the most popular news site is 'nu.nl'. In this case the tld is 'nl' and the 'domain' would be 'nu.nl'. So I'm afraid this simple heuristic approach is not going to be sufficient.

Actions
Copy link
 #6

Updated by Jeff Lucovsky almost 5 years ago

I think it would work with nu.nl with this modification
- Amend the TLD to include the next most rightmost label if it consists of 2 characters and there is another label to the left

Actions
Copy link
 #7

Updated by Victor Julien almost 5 years ago

But that would fail if there is a subdomain, right? E.g. video.nu.nl would become domain: 'video.nu.nl', tld: 'nu.nl'.

Actions
Copy link
 #8

Updated by Jeff Lucovsky over 4 years ago

Regarding domains only, in a separate conversation, Victor suggested the following:

alert dns any any -> any any (dns_query; domain; content:".google.com"; sid:1;)
1. hello.google.com --> match
2. hey.agoogle.com --> no match
3. agoogle.com --> no match
4. something.google.com.au --> match

To restrict matches to a domain:

alert dns any any -> any any (dns_query; domain; content:".google.com"; endswith; sid:1;)

1. hello.google.com --> match
2. hey.agoogle.com --> no match
3. aggogle.com --> no match
4. something.google.com.au --> no match

Actions
Copy link
 #9

Updated by Peter Manev over 4 years ago

I like it.

Actions
Copy link
 #10

Updated by Jeff Lucovsky over 4 years ago

Regarding TLDs: there are many cases that cannot be covered reliably by heuristics and require stored data to validate/check whether something is a tld or not.

Perhaps a rule like alert dns any any -> any any (dns_query; content:".co.uk"; endswith; sid:1;) is sufficient in place of a non-data augmented TLD transformation?

Actions
Copy link
 #11

Updated by Peter Manev over 4 years ago

Would that work in such similar cases? (please see attached)

Actions
Copy link
 #12

Updated by Jeff Lucovsky over 4 years ago

The buffer `time.windows.com` would be replaced with `.time.windows.com`

Actions
Copy link
 #13

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to Closed
  • Difficulty deleted (low)
Actions
Copy link

Also available in: Atom PDF