我目前在Suricata中设置了以下DNS查询警报规则(用于测试目的):
alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;)
当它捕获包含“google”一词的DNS事件时触发,例如在此数据包中:
{"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":52385,"proto":"UDP","dns":{"type":"answer","id":57334,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":300,"rdata":"172.217.12.164"}}
但是,我不想搜索包含“google”的资源记录名称,而是希望使用同一类型的警报来触发解析为环回的IP地址,就像下面的数据包一样(注意{{ 1}} field):
rdata正如我所注意到的,Suricata规则的{"timestamp":"2017-06-08T15:59:37.120927+0000","flow_id":36683121284050,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":62260,"proto":"UDP","dns":{"type":"answer","id":53553,"rcode":"NOERROR","rrname":"outlook1.us","rrtype":"A","ttl":120,"rdata":"127.0.0.1"}}
部分仅搜索字符串。
我的当前规则在与rrname / domain的文本匹配时触发,我将如何使该规则在rdata / IP地址上触发?
P.S。 出于好奇,我尝试用“127.0.0.1”替换警报内容部分中的“google”,这也没有按预期工作。
答案 0 :(得分:0)
ip地址只是一个32位的数字。在规则中,为了提高效率和节省带宽,IP应该表示为十六进制值而不是字符串(字符串将是8个字节而不是4个字节)。
这是我的最终Suricata规则,当有人被我的网络发送回环时,它会发出警报:
alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)