Sorry, not retyping the entire story here, read here.
TLDR; My opinion, SVCB data can be used by “rogue” applications to bypass the system configured DNS server, therefore, I would like to add a suricata rule that blocks SVCB (type 64) DNS queries. The suricata documentation unfortunately comes without an example, a duckduckgo search didn’t provide such an example (block by query type) either. Other sources (TheSecurityAnalystsGuidetoSuricata) also doesn’t provide an answer
possible?
edit
wireshark says these two bytes indicate type 64 (svcb), how would suricata be able to match (reject / block) this?
/edit
further testing, an attempt to get an alert.
this appears to be working:
alert dns any any -> $EXTERNAL_NET 53 (msg:"SVCB query (DoH)"; content:"|00 00 40 00 01|"; fast_pattern; classtype:external-ip-check; sid:1000002; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_12_27, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2022_12_27;)
when I add content (to avoid mismatches - see here for similarity):
content:"|00 01 00 00 00 00 00 01|"; content:"|00 00 40 00 01|"; fast_pattern; distance:3;
what does it mean ( I think):
- the “content” is everything, starting from “Domain Name System”
- the Transaction ID will always be unique, so not part of the suricata rule
- first content (00 01 00 00 00 00 00 01) = “questions”, “Answer RRs”, “Authorithy RRs”, “Additional RRs”
- the minimum valid domain length is 3, example “x.x”, hence “distance:3”
- second content (00 00 40 00 01) = “null termination of domain”, “query type”, “Class”
ideas? comments?
