Project

General

Profile

Actions

Feature #6497

closed

dns: new detection buffer: dns.query.name

Added by Jason Ish about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Add a new buffer, dns.query.name to allow matches on the "name" field in the DNS queries array.

Unlike the exiting dns.query_name buffer, this will look at the request and the response and flow keyword can be used to limit its scope.

In the to server direction this is a duplication of the existing dns.query_name keyword, however, there is an expectation that the keyword only detects in the to server direction, and extending it to match in the to client direction could cause a large number of unexpected alerts.


Related issues 1 (0 open1 closed)

Related to Suricata - Optimization #2272: Analyze DNS response if query is not presentRejectedJason IshActions
Actions

Also available in: Atom PDF