Project

General

Profile

Actions
Copy link

Feature #6497

closed

dns: new detection buffer: dns.query.name

Added by Jason Ish 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

Add a new buffer, dns.query.name to allow matches on the "name" field in the DNS queries array.

Unlike the exiting dns.query_name buffer, this will look at the request and the response and flow keyword can be used to limit its scope.

In the to server direction this is a duplication of the existing dns.query_name keyword, however, there is an expectation that the keyword only detects in the to server direction, and extending it to match in the to client direction could cause a large number of unexpected alerts.

Related issues 1 (1 open0 closed)

Related to Suricata - Optimization #2272: Analyze DNS response if query is not presentAssignedJason IshActions
Actions
Copy link
 #1

Updated by Jason Ish 5 months ago

Actions
Copy link
 #2

Updated by Jason Ish 5 months ago

  • Status changed from In Progress to In Review
Actions
Copy link
 #3

Updated by Jason Ish 5 months ago

  • Blocks Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
Actions
Copy link
 #4

Updated by Jason Ish 4 months ago

  • Status changed from In Review to Closed

Merged.

Actions
Copy link
 #5

Updated by Jason Ish 4 months ago

  • Blocks deleted (Bug #6281: dns: structure of query differs between "alert" and "dns" event types)
Actions
Copy link

Also available in: Atom PDF