Project

General

Profile

Actions

Feature #3074

closed

DNS full domain matching within the dns_query buffer

Added by James Emery-Callcott over 4 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hey folks,

There have been a few scenarios in which the following pcre has been applied to a rule -> "/(?:^|\.)google.com$/" and I was curious to know if we can make this a keyword for DNS signatures.

The idea behind this is that when we have a domain, ex. 'google.com', we want to match on either 'google.com' or 'subdomain.google.com' but not something such as 'agoogle.com'.

Example rule structure with the new keyword:

dns_query; content:"google.com"; full_domain; pcre:"/(?:^|\.)google.com$/";

google.com - Match
hello.google.com - Match
hey.agoogle.com - No match
agoogle.com - No match


Files

Actions

Also available in: Atom PDF