Actions
Feature #6497
closeddns: new detection buffer: dns.query.name
Effort:
Difficulty:
Label:
Description
Add a new buffer, dns.query.name
to allow matches on the "name" field in the DNS queries array.
Unlike the exiting dns.query_name
buffer, this will look at the request and the response and flow
keyword can be used to limit its scope.
In the to server
direction this is a duplication of the existing dns.query_name
keyword, however, there is an expectation that the keyword only detects in the to server direction, and extending it to match in the to client direction could cause a large number of unexpected alerts.
Updated by Jason Ish about 1 year ago
- Related to Optimization #2272: Analyze DNS response if query is not present added
Updated by Jason Ish about 1 year ago
- Status changed from In Progress to In Review
Updated by Jason Ish about 1 year ago
- Blocks Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
Updated by Jason Ish about 1 year ago
- Blocks deleted (Bug #6281: dns: structure of query differs between "alert" and "dns" event types)
Actions