Project

General

Profile

Actions

Feature #6497

closed

dns: new detection buffer: dns.query.name

Added by Jason Ish 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Add a new buffer, dns.query.name to allow matches on the "name" field in the DNS queries array.

Unlike the exiting dns.query_name buffer, this will look at the request and the response and flow keyword can be used to limit its scope.

In the to server direction this is a duplication of the existing dns.query_name keyword, however, there is an expectation that the keyword only detects in the to server direction, and extending it to match in the to client direction could cause a large number of unexpected alerts.


Related issues 1 (1 open0 closed)

Related to Suricata - Optimization #2272: Analyze DNS response if query is not presentAssignedJason IshActions
Actions #1

Updated by Jason Ish 5 months ago

Actions #2

Updated by Jason Ish 5 months ago

  • Status changed from In Progress to In Review
Actions #3

Updated by Jason Ish 4 months ago

  • Blocks Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
Actions #4

Updated by Jason Ish 4 months ago

  • Status changed from In Review to Closed

Merged.

Actions #5

Updated by Jason Ish 4 months ago

  • Blocks deleted (Bug #6281: dns: structure of query differs between "alert" and "dns" event types)
Actions

Also available in: Atom PDF