Project

General

Profile

Feature #3074

DNS full domain matching within the dns_query buffer

Added by James Emery-Callcott 4 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hey folks,

There have been a few scenarios in which the following pcre has been applied to a rule -> "/(?:^|\.)google.com$/" and I was curious to know if we can make this a keyword for DNS signatures.

The idea behind this is that when we have a domain, ex. 'google.com', we want to match on either 'google.com' or 'subdomain.google.com' but not something such as 'agoogle.com'.

Example rule structure with the new keyword:

dns_query; content:"google.com"; full_domain; pcre:"/(?:^|\.)google.com$/";

google.com - Match
hello.google.com - Match
hey.agoogle.com - No match
agoogle.com - No match


Files

History

#1

Updated by James Emery-Callcott 4 months ago

Edit - ignore the PCRE in the example rule structure, typo on my part.

#2

Updated by Andreas Herz 3 months ago

  • Assignee set to Community Ticket
#3

Updated by Victor Julien 3 months ago

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Jeff Lucovsky
  • Target version changed from 5.0beta1 to 5.0rc1

I think this can be easily implemented using the transform API.

Jeff, could you implement 2 transforms:

tld -> this will transform an input buffer of example.com to just com
domain -> this will transform an input buffer of subdomain.example.com to just example.com

The rule would look like:
alert dns any any -> any any (dns.query; tld; content:"com"; sid:1;)
alert http any any -> any any (http.host; domain; content:"example.com"; startswith; sid:2;)

Have a look at the exist transforms for how to use this API: strip_whitespace, to_md5, etc.

#4

Updated by Jeff Lucovsky 3 months ago

The strict definition of a TLD is The right-most label in a domain name is referred to as its "top-level domain" (TLD) [[https://archive.icann.org/en/tlds/]]. These are also referred to as generic TLDs.

Country code TLDs consist of a two letter country abbreviation , e.g., nl and are usually of the form .nl.co but not always (wit www.google.com.au).

The second level domain resides to the left of the TLD (generic or cc): foo.bar.co.jp would produce a domain of bar.co.jp

I suggest that the tld and domain transformation operate as follows:
- Recognize the TLD as the rightmost label.
- Amend the TLD to include the next most rightmost label if it consists of 2 characters.
- The domain is the label to the left of the TLD after these steps.

Examples:
  1. example.com -> tld = com, domain = example.com
  2. google.com.au -> tld = com.au, domain = google.com.au
  3. google.co.uk -> tld = co.uk, domain = google.co.uk
  4. windows.update.microsoft.co.es -> tld = co.es, domain = microsoft.co.es

It was suggested that the TLD could be referred to as the domain_suffix or even dns.suffix.

#5

Updated by Victor Julien 3 months ago

I don't know why I didn't remember this yesterday, but in the NL the most popular news site is 'nu.nl'. In this case the tld is 'nl' and the 'domain' would be 'nu.nl'. So I'm afraid this simple heuristic approach is not going to be sufficient.

#6

Updated by Jeff Lucovsky 3 months ago

I think it would work with nu.nl with this modification
- Amend the TLD to include the next most rightmost label if it consists of 2 characters and there is another label to the left

#7

Updated by Victor Julien 3 months ago

But that would fail if there is a subdomain, right? E.g. video.nu.nl would become domain: 'video.nu.nl', tld: 'nu.nl'.

#8

Updated by Jeff Lucovsky 3 months ago

Regarding domains only, in a separate conversation, Victor suggested the following:

alert dns any any -> any any (dns_query; domain; content:".google.com"; sid:1;)
1. hello.google.com --> match
2. hey.agoogle.com --> no match
3. agoogle.com --> no match
4. something.google.com.au --> match

To restrict matches to a domain:

alert dns any any -> any any (dns_query; domain; content:".google.com"; endswith; sid:1;)

1. hello.google.com --> match
2. hey.agoogle.com --> no match
3. aggogle.com --> no match
4. something.google.com.au --> no match

#9

Updated by Peter Manev 3 months ago

I like it.

#10

Updated by Jeff Lucovsky 3 months ago

Regarding TLDs: there are many cases that cannot be covered reliably by heuristics and require stored data to validate/check whether something is a tld or not.

Perhaps a rule like alert dns any any -> any any (dns_query; content:".co.uk"; endswith; sid:1;) is sufficient in place of a non-data augmented TLD transformation?

#11

Updated by Peter Manev 3 months ago

Would that work in such similar cases? (please see attached)

#12

Updated by Jeff Lucovsky 2 months ago

The buffer `time.windows.com` would be replaced with `.time.windows.com`

#13

Updated by Victor Julien about 1 month ago

  • Status changed from Assigned to Closed
  • Difficulty deleted (low)

Also available in: Atom PDF