Project

General

Profile

Actions

Feature #7012

open

Add dns.response sticky buffer

Added by Nathan Scrivens 7 months ago. Updated 3 months ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
Label:

Description

Add DNS sticky buffer dns.response that will allow a signature to trigger on any name and rdata field over all sections in a DNS response message.
This allows simplified policy configuration and matching on all relevant fields in a dns response (instead of multiple signatures, each looking at a specific field).
This also addresses a gap where all sections / records are not currently exposed for matching.

I have a solution that iterates through all records per section in a response, checking:
  1. the "name" field in each record
  2. the "rdata" field in each record. For rdata, there is some logic limiting the "type" that will be checked to those that could contain domain names such as MX, NS, SOA, CNAME, PTR, ...

I plan to open a PR soon if there is interest in this feature.


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #2448: Add additional buffers for DNS ResponsesNewOISF DevActions
Actions

Also available in: Atom PDF