Filter dns query by wildcard rather then by ip address

Good evening,

I’m fairly new with suricata and looking to do some rule tuning in my network. I found a fairly noisey alert from my dns servers querying quickconnect.to from synology due to a ET .to TDR rule

I don’t want to block the ip of the nameserver but exclude a wildcard of anything with quickconnect so the rule still generates on true positives.

What would be the best way to exclude dns queries?

Thanks!

I’m a little unclear on what you are trying to do here, could you provide a little more detail?

For your Synology, and your Synology only are you trying to block all DNS requests except for requests for quickconnect.io?

Hey Jason.

I’m getting alerts based on sig 2027757 about queries for .TO

The queries are to *.quickconnect.io because i know these synology requests are legitimate, I would like to exclude/filter all dns queries to *.quickconnect.to to filter out the noise from the suricata box

I was looking at doing a bypass statement in the local.rule file possibly shown below but not sure if this would work
Alert dns $home any → any any (dns.query;content:”*.quickconnect.to”;bypass;sid:X;rev:1;)

Hi,

In order to make sure anything from this specific domain does not generate alert (for any dns signature) , you can use the following:

pass dns any any -> any any (msg:"Domain pass - DNS wildcard "; dns.query; content:".quickconnect.to"; nocase; endswith; sid:111;)

In order to make sure this specific domain does not generate an alert for only this specific rule, you can also modify the rule itself and add:
content:!".quickconnect.to"; nocase; endswith;

Suricata will still produce DNS records aka -"event_type":"dns" for that domain regardless if there is an alert generated or not. If you want to suppress those DNS protocol records for this specific domain , you can use the following:

config dns any any -> any any (msg:"Conditional logging - DNS wildcard "; dns.query; content:".quickconnect.to"; nocase; endswith; config: logging disable, type tx, scope tx; sid:222;)

For more information - 6.33. Config Rules — Suricata 6.0.11 documentation

Hi peter,

Thank you for this! I’m still having a bit of trouble with the rule still generating. I tried the first option in my local.rules file but it still generates.

I add the content:!“.quickconnect.to”; nocase; endswith; after dns.query; content:“.to”; endswith; but still have had no success.

Do i need to replace dns.query; content:“.to”; endswith; with content:!“.quickconnect.to”; nocase; endswith;

One thing i would check is if all expected rules are loaded? Maybe try a local test with only this rule and only a small pcap? Something like:

suricata -S test.rules -k none -r test.pcap - l log/