mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
94 lines
2.6 KiB
ReStructuredText
94 lines
2.6 KiB
ReStructuredText
mDNS Keywords
|
|
=============
|
|
|
|
Suricata supports sticky buffers for efficiently matching on specific
|
|
fields in mDNS (Multicast DNS) messages.
|
|
|
|
Note that sticky buffers are expected to be followed by one or more
|
|
:doc:`payload-keywords`.
|
|
|
|
mdns.queries.rrname
|
|
-------------------
|
|
|
|
``mdns.queries.rrname`` is a sticky buffer that is used to look at the
|
|
name field in mDNS query resource records.
|
|
|
|
The buffer being matched on contains the complete re-assembled
|
|
resource name, for example "host.local".
|
|
|
|
``mdns.queries.rrname`` supports :doc:`multi-buffer-matching`.
|
|
|
|
Example::
|
|
|
|
alert udp any any -> any 5353 (msg:"mDNS query for .local domain"; \
|
|
mdns.queries.rrname; content:".local"; sid:1;)
|
|
|
|
mdns.answers.rrname
|
|
-------------------
|
|
|
|
``mdns.answers.rrname`` is a sticky buffer that is used to look at the
|
|
name field in mDNS answer resource records.
|
|
|
|
The buffer being matched on contains the complete re-assembled
|
|
resource name, for example "printer.local".
|
|
|
|
``mdns.answers.rrname`` supports :doc:`multi-buffer-matching`.
|
|
|
|
Example::
|
|
|
|
alert udp any 5353 -> any any (msg:"mDNS answer for printer.local"; \
|
|
mdns.answers.rrname; content:"printer.local"; sid:2;)
|
|
|
|
mdns.authorities.rrname
|
|
-----------------------
|
|
|
|
``mdns.authorities.rrname`` is a sticky buffer that is used to look at the
|
|
rrname field in mDNS authority resource records.
|
|
|
|
The buffer being matched on contains the complete re-assembled
|
|
resource name, for example "device.local".
|
|
|
|
``mdns.authorities.rrname`` supports :doc:`multi-buffer-matching`.
|
|
|
|
Example::
|
|
|
|
alert udp any 5353 -> any any (msg:"mDNS authority record check"; \
|
|
mdns.authorities.rrname; content:"auth.local"; sid:3;)
|
|
|
|
mdns.additionals.rrname
|
|
-----------------------
|
|
|
|
``mdns.additionals.rrname`` is a sticky buffer that is used to look at
|
|
the rrname field in mDNS additional resource records.
|
|
|
|
The buffer being matched on contains the complete re-assembled
|
|
resource name, for example "service.local".
|
|
|
|
``mdns.additionals.rrname`` supports :doc:`multi-buffer-matching`.
|
|
|
|
Example::
|
|
|
|
alert udp any any -> any 5353 (msg:"mDNS additional record check"; \
|
|
mdns.additionals.rrname; content:"_companion-link._tcp.local"; nocase; sid:4;)
|
|
|
|
mdns.response.rrname
|
|
--------------------
|
|
|
|
``mdns.response.rrname`` is a sticky buffer that is used to inspect
|
|
all the rrname fields in a response, in the queries, answers,
|
|
additionals and authorities. Additionally it will also inspect rdata
|
|
fields that have the same format as an rrname (hostname).
|
|
|
|
``rdata`` types that will be inspected are:
|
|
|
|
* CNAME
|
|
* PTR
|
|
* MX
|
|
* NS
|
|
* SOA
|
|
|
|
Example::
|
|
|
|
alert udp any 5353 -> any any (msg:"mDNS answer data match"; \
|
|
mdns.response.rrname; content:"Apple TV"; sid:5;)
|