Feature #8384: dns: add dns.rdata keyword - Suricata - Open Information Security Foundation

Feature #8384

The below data is extract from a "event_type:dns" record/log in Suricata.    
 We have the data and we can query it in SIEM - which is great.     

 What would be ideal is to add a keyword (in Suricata 8/9) to match exactly on that buffer - something like "dns.rdata" - for inspecting it.    

 <pre><code class="json"> 
      

  
 <pre> 

   "dns": { 
     "version": 3, 
     "type": "response", 
     "tx_id": 2, 
     "id": 37949, 
     "flags": "8400", 
     "qr": true, 
     "aa": true, 
     "opcode": 0, 
     "rcode": "NOERROR", 
     "queries": [ 
       { 
         "rrname": "verify.timeserversync.com", 
         "rrtype": "TXT" 
       } 
     ], 
     "answers": [ 
       { 
         "rrname": "verify.timeserversync.com", 
         "rrtype": "TXT", 
         "ttl": 300, 
         "rdata": "00000000/9j/4AAQSkZJRgABAQAAAQABAAD/4SH0RXhpZgAASUkqAAgAAAADABIBAwABAAAAAQAAADEBAgAHAAAAMgAAAGmHBAABAAAAOgAAAMgAAABQaWNhc2EAAAYAAJAHAAQAAAAwMjIwAaADAAEAAAABAAAAAqAEAAEAAAAABAAAA6AEAAEAAAAABAAABaAEAAEA" 
       } 
     ] 
   } 

 </code></pre> </pre> 

 Public pcap location:    
 https://www.activecountermeasures.com/malware-of-the-day-txt-record-abuse-in-dns-c2-joker-screenmate/

Back

Project

General

Profile

Suricata

Feature #8384