I’m trying to write a suricata rule to alert on class C IP range (192.168.1.0/24) in DNS responses.
I found this answer tackling the same problem but with a specific IP in the DNS response (loop back IP)
domain name system - How to make rule trigger on DNS rdata/IP address? - Server Fault
How can I do the same, but detecting any IP in the class C range?
Can I use regex to detect content in the rdata field?
I’ll give you an example CIDS to see if it works for you.
alert ip [0.0.0.0/8,192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"...............
Unfortunately that doesn’t solve my problem.
I forgot to mention that I need this rule to detect internal DNS leakage.
It would be a good feature request to add
dns.response in addition to the already available keyword
dns.query. What you could do is post processing to alert on the event_type dns where you do have the response field.
You could also try to use the more common keywords to match on specific content parts.
For sure it would nice to have dns.response keyword.
Post processing all dns alerts would however require so much resources.
Could you give examples on
more common keywords
that I can use?
This is a much more tricky problem than it really should be.
There is a
feature request that should help out, but until then, this rule will work for you.
alert dns any any -> any any (msg:"DNS Response with Answer in 192.168.1.0/24"; content:"|00 01 00 01|"; distance:0; content:"|00 04 c0 a8 01|"; distance:4; within:5; fast_pattern; sid:1;)