Feature #7012
open
Add dns.response sticky buffer
Added by Nathan Scrivens 4 months ago.
Updated 27 days ago.
Description
Add DNS sticky buffer dns.response that will allow a signature to trigger on any name and rdata field over all sections in a DNS response message.
This allows simplified policy configuration and matching on all relevant fields in a dns response (instead of multiple signatures, each looking at a specific field).
This also addresses a gap where all sections / records are not currently exposed for matching.
I have a solution that iterates through all records per section in a response, checking:
- the "name" field in each record
- the "rdata" field in each record. For rdata, there is some logic limiting the "type" that will be checked to those that could contain domain names such as MX, NS, SOA, CNAME, PTR, ...
I plan to open a PR soon if there is interest in this feature.
Related issues
1 (1 open — 0 closed)
Last time I asked a similar question, the answer was that specificity was preferred, and this lead to dns.answer.name and dns.query.name and I expect this to get more complete in time.
So I'd be keen to hear interest in this field.
Just a note: dns.response is a little open in the naming department.
- Assignee changed from OISF Dev to Nathan Scrivens
Thanks for the feedback Jason.
Here is a little extra context. For our organization we are running in IPS mode, and are interested in triggering on any potential record in a DNS response message that could match our signatures / datasets.
Needing to reference every individual field for each section will add complexity and replication to our signature set.
For example, we want to match on:
- question section: name field
- answer, authority, additional sections: name and rdata fields
This would be seven unique fields, which would translate to seven signatures just for DNS response traffic (even more if we want to have different signature / action combinations). It would be much simpler to have a generic way to fully match a DNS response.
I can see value in both implementations. Exposing unique fields for those who want to write a specific signature, but also having the option to match against all fields easily for those who want to match on everything possible in a response with a single signature.
The name isn't important, we could change that if you feel dns.response is too open. It seemed to me like a nice description, as the result is matching on the entire DNS response.
- Related to Feature #2448: Add additional buffers for DNS Responses added
- Status changed from New to In Review
Also available in: Atom
PDF