如何在DNS rdata / IP地址上觸發規則?
[英]How to make rule trigger on DNS rdata/IP address?
問題描述
我目前在Suricata中設置了以下DNS查詢警報規則(出於測試目的):
alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;)
當它捕獲包含單詞“ google”的DNS事件時觸發該事件,例如在此數據包中:
{"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":52385,"proto":"UDP","dns":{"type":"answer","id":57334,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":300,"rdata":"172.217.12.164"}}
但是,我不想使用包含“ google”的資源記錄名稱,而是要使用相同類型的警報來觸發解析為回送的IP地址,例如以下數據包(請注意rdata字段):
{"timestamp":"2017-06-08T15:59:37.120927+0000","flow_id":36683121284050,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":62260,"proto":"UDP","dns":{"type":"answer","id":53553,"rcode":"NOERROR","rrname":"outlook1.us","rrtype":"A","ttl":120,"rdata":"127.0.0.1"}}
正如我已經注意到的,Suricata規則的content部分僅搜索字符串。 我當前的規則是在與rrname / domain匹配的文本上觸發的,我如何使它在rdata / IP地址上觸發?
ps出於好奇,我嘗試將警報的內容部分中的“ google”替換為“ 127.0.0.1”,但也沒有達到預期的效果。
1 個解決方案
解決方案1
0 已采納 2017-06-09 15:28:39
IP地址只是一個32位數字。 在規則中,出於效率和節省帶寬的目的,IP應該表示為十六進制值而不是字符串(字符串將是8+字節,而不是4字節)。
這是我的Suricata最后一條規則,用於在有人被發送到我的網絡上的環回時發出警報:
alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)
BIND輪詢DNS:如何僅用一個IP地址進行nslookup答復
[英]BIND round robin dns: how to make nslookup reply with just one ip address
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.