Feature #8384: dns: add dns.rdata keyword - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #8384

open

dns: add dns.rdata keyword

Added by Peter Manev 2 days ago. Updated 2 days ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

TBD

Effort:

Difficulty:

Label:

Needs Suricata-Verify test

Description

The below data is extract from a "event_type:dns" record/log in Suricata.
We have the data and we can query it in SIEM - which is great.

What would be ideal is to add a keyword (in Suricata 8/9) to match exactly on that buffer - something like "dns.rdata" - for inspecting it.

  "dns": {
    "version": 3,
    "type": "response",
    "tx_id": 2,
    "id": 37949,
    "flags": "8400",
    "qr": true,
    "aa": true,
    "opcode": 0,
    "rcode": "NOERROR",
    "queries": [
      {
        "rrname": "verify.timeserversync.com",
        "rrtype": "TXT" 
      }
    ],
    "answers": [
      {
        "rrname": "verify.timeserversync.com",
        "rrtype": "TXT",
        "ttl": 300,
        "rdata": "00000000/9j/4AAQSkZJRgABAQAAAQABAAD/4SH0RXhpZgAASUkqAAgAAAADABIBAwABAAAAAQAAADEBAgAHAAAAMgAAAGmHBAABAAAAOgAAAMgAAABQaWNhc2EAAAYAAJAHAAQAAAAwMjIwAaADAAEAAAABAAAAAqAEAAEAAAAABAAAA6AEAAEAAAAABAAABaAEAAEA" 
      }
    ]
  }

Public pcap location:
https://www.activecountermeasures.com/malware-of-the-day-txt-record-abuse-in-dns-c2-joker-screenmate/

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #8384

dns: add dns.rdata keyword

Updated by Victor Julien 2 days ago

Updated by Victor Julien 2 days ago