1

我目前在 Suricata 中设置了以下 DNS 查询警报规则(用于测试目的):

 alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;)

当它捕获包含单词“google”的DNS事件时触发,例如在这个数据包中:

{"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":52385,"proto":"UDP","dns":{"type":"answer","id":57334,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":300,"rdata":"172.217.12.164"}}

但是,我不想搜索包含“google”的资源记录名称,而是想使用这种相同类型的警报来触发解析为环回的 IP 地址,就像以下数据包的情况一样(注意该rdata字段):

{"timestamp":"2017-06-08T15:59:37.120927+0000","flow_id":36683121284050,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":62260,"proto":"UDP","dns":{"type":"answer","id":53553,"rcode":"NOERROR","rrname":"outlook1.us","rrtype":"A","ttl":120,"rdata":"127.0.0.1"}}

正如我所注意到的,contentSuricata 规则部分仅搜索字符串。我当前的规则在与 rrname/domain 的文本匹配时触发,我将如何使规则在 rdata/IP 地址上触发?

ps 出于好奇,我尝试将警报内容部分中的“google”替换为“127.0.0.1”,但正如预期的那样,这也不起作用。

4

1 回答 1

1

IP 地址只是一个 32 位数字。在规则中,IP 应表示为十六进制值而不是字符串,以提高效率和节省带宽(字符串将是 8+ 字节而不是 4 字节)。

这是我的最终 Suricata 规则,当有人被发送到我的网络上的环回时发出警报:

alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)
于 2017-06-09T15:28:39.603 回答