我尝试检测以下日志的网络流量:
{"timestamp":"2018-11-02T09:50:41.504771+0100","flow_id":XXXXXXXXXXX,"in_iface":"eth0","event_type":"dns","src_ip":"XXX.XXX.152.34","src_port":XX,"dest_ip":"XX.XX.XX.100","dest_port":63015,"proto":"UDP","dns":{"type":"answer","id":57901,"rcode":"SERVFAIL","rrname":"www.XXXX.XXX"}}
我想检测到交通女巫没有回应,在此日志中是:`
“” rcode“:” SERVFAIL“”。
应如何看待规则?我尝试了一下,但是没有用。
alert ip $HOME_NET any -> any any (msg:"ERR ADDR"; content:"SERVFAIL"; sid:1000003; rev:1;)