如何在DNS rdata / IP地址上触发规则?
[英]How to make rule trigger on DNS rdata/IP address?
问题描述
我目前在Suricata中设置了以下DNS查询警报规则(出于测试目的):
alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;)
当它捕获包含单词“ google”的DNS事件时触发该事件,例如在此数据包中:
{"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":52385,"proto":"UDP","dns":{"type":"answer","id":57334,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":300,"rdata":"172.217.12.164"}}
但是,我不想使用包含“ google”的资源记录名称,而是要使用相同类型的警报来触发解析为回送的IP地址,例如以下数据包(请注意rdata字段):
{"timestamp":"2017-06-08T15:59:37.120927+0000","flow_id":36683121284050,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":62260,"proto":"UDP","dns":{"type":"answer","id":53553,"rcode":"NOERROR","rrname":"outlook1.us","rrtype":"A","ttl":120,"rdata":"127.0.0.1"}}
正如我已经注意到的,Suricata规则的content部分仅搜索字符串。 我当前的规则是在与rrname / domain匹配的文本上触发的,我如何使它在rdata / IP地址上触发?
ps出于好奇,我尝试将警报的内容部分中的“ google”替换为“ 127.0.0.1”,但也没有达到预期的效果。
1 个解决方案
解决方案1
0 已采纳 2017-06-09 15:28:39
IP地址只是一个32位数字。 在规则中,出于效率和节省带宽的目的,IP应该表示为十六进制值而不是字符串(字符串将是8+字节,而不是4字节)。
这是我的Suricata最后一条规则,用于在有人被发送到我的网络上的环回时发出警报:
alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)
BIND轮询DNS:如何仅用一个IP地址进行nslookup答复
[英]BIND round robin dns: how to make nslookup reply with just one ip address
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.