Feature #7012: rules: add dns.response sticky buffer - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #7012

closed

rules: add dns.response sticky buffer

Added by Nathan Scrivens 11 months ago. Updated 2 days ago.

Status:

Closed

Priority:

Normal

Assignee:

Nathan Scrivens

Target version:

8.0.0-beta1

Effort:

medium

Difficulty:

Label:

Description

Add DNS sticky buffer dns.response that will allow a signature to trigger on any name and rdata field over all sections in a DNS response message.
This allows simplified policy configuration and matching on all relevant fields in a dns response (instead of multiple signatures, each looking at a specific field).
This also addresses a gap where all sections / records are not currently exposed for matching.

I have a solution that iterates through all records per section in a response, checking:

the "name" field in each record
the "rdata" field in each record. For rdata, there is some logic limiting the "type" that will be checked to those that could contain domain names such as MX, NS, SOA, CNAME, PTR, ...

I plan to open a PR soon if there is interest in this feature.

Related issues 2 (1 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

	Related to Suricata - Feature #2448: Add additional buffers for DNS Responses	New	Jason Ish				Actions
	Has duplicate Suricata - Feature #2198: Extend the DNS parser to accept dns_response keyword in signatures	Rejected					Actions

Project

General

Profile

Suricata

Custom queries

Feature #7012

rules: add dns.response sticky buffer

Updated by Jason Ish 11 months ago

Updated by Nathan Scrivens 11 months ago · Edited

Updated by Nathan Scrivens 10 months ago

Updated by Jason Ish 10 months ago

Updated by Nathan Scrivens 8 months ago

Updated by Jason Ish 2 months ago

Updated by Nathan Scrivens 19 days ago

Updated by Jason Ish 19 days ago

Updated by Victor Julien 3 days ago

Updated by Victor Julien 2 days ago