aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
suricata/doc/userguide/rules/dns-keywords.rst

179 lines
4.3 KiB
ReStructuredText
Raw Permalink Blame History

DNS Keywords
============
Suricata supports sticky buffers as well as keywords for efficiently
matching on specific fields in DNS messages.
Note that sticky buffers are expected to be followed by one or more
:doc:`payload-keywords`.
dns.answer.name
---------------
``dns.answer.name`` is a sticky buffer that is used to look at the
name field in DNS answer resource records.
``dns.answer.name`` will look at both requests and responses, so
``flow`` is recommended to confine to a specific direction.
The buffer being matched on contains the complete re-assembled
resource name, for example "www.suricata.io".
``dns.answer.name`` supports :doc:`multi-buffer-matching`.
``dns.answer.name`` was introduced in Suricata 8.0.0.
dns.opcode
----------
This keyword matches on the **opcode** found in the DNS header flags.
dns.opcode uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
Syntax
~~~~~~
::
dns.opcode:[!]<number>
dns.opcode:[!]<number1>-<number2>
Examples
~~~~~~~~
Match on DNS requests and responses with **opcode** 4::
dns.opcode:4;
Match on DNS requests where the **opcode** is NOT 0::
dns.opcode:!0;
Match on DNS requests where the **opcode** is between 7 and 15, exclusively:
dns.opcode:7-15;
Match on DNS requests where the **opcode** is not between 7 and 15:
dns.opcode:!7-15;
dns.rcode
---------
This keyword matches on the **rcode** field found in the DNS header flags.
dns.rcode uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
Currently, Suricata only supports rcode values in the range [0-15], while
the current DNS version supports rcode values from [0-23] as specified in
`RFC 6895 <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6>`_.
We plan to extend the rcode values supported by Suricata according to RFC 6895
as tracked by the ticket: https://redmine.openinfosecfoundation.org/issues/6650
Syntax
~~~~~~
::
dns.rcode:[!]<number>
dns.rcode:[!]<number1>-<number2>
Examples
~~~~~~~~
Match on DNS requests and responses with **rcode** 4::
dns.rcode:4;
Match on DNS requests and responses where the **rcode** is NOT 0::
dns.rcode:!0;
dns.rrtype
----------
This keyword matches on the **rrtype** (integer) found in the DNS message.
dns.rrtype uses an :ref:`unsigned 16-bit integer <rules-integer-keywords>`.
Syntax
~~~~~~
::
dns.rrtype:[!]<number>
Examples
~~~~~~~~
Match on DNS requests and responses with **rrtype** 4::
dns.rrtype:4;
Match on DNS requests and responses where the **rrtype** is NOT 0::
dns.rrtype:!0;
dns.query
---------
``dns.query`` is a sticky buffer that is used to inspect DNS query
names in DNS request messages. Example::
alert dns any any -> any any (msg:"Test dns.query option"; dns.query; content:"google"; nocase; sid:1;)
Being a sticky buffer, payload keywords such as content are to be used after ``dns.query``:
.. image:: dns-keywords/dns_query.png
The ``dns.query`` keyword affects all following contents, until
pkt_data is used or it reaches the end of the rule.
.. note:: **dns.query** is equivalent to the older **dns_query**.
.. note:: **dns.query** will only match on DNS request messages, to
also match on DNS response message, see
`dns.query.name`_.
``dns.query.name`` supports :doc:`multi-buffer-matching`.
Normalized Buffer
~~~~~~~~~~~~~~~~~
Buffer contains literal domain name
- <length> values (as seen in a raw DNS request)
are literal '.' characters
- no leading <length> value
- No terminating NULL (0x00) byte (use a negated relative ``isdataat``
to match the end)
Example DNS request for "mail.google.com" (for readability, hex
values are encoded between pipes):
DNS query on the wire (snippet)::
|04|mail|06|google|03|com|00|
``dns.query`` buffer::
mail.google.com
dns.query.name
---------------
``dns.query.name`` is a sticky buffer that is used to look at the name
field in DNS query (question) resource records. It is nearly identical
to ``dns.query`` but supports both DNS requests and responses.
``dns.query.name`` will look at both requests and responses, so
``flow`` is recommended to confine to a specific direction.
The buffer being matched on contains the complete re-assembled
resource name, for example "www.suricata.io".
``dns.query.name`` supports :doc:`multi-buffer-matching`.
``dns.query.name`` was introduced in Suricata 8.0.0.
Reference in New Issue View Git Blame Copy Permalink