further testing, an attempt to get an alert.
this appears to be working:
alert dns any any -> $EXTERNAL_NET 53 (msg:"SVCB query (DoH)"; content:"|00 00 40 00 01|"; fast_pattern; classtype:external-ip-check; sid:1000002; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_12_27, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2022_12_27;)
when I add content (to avoid mismatches - see here for similarity):
content:"|00 01 00 00 00 00 00 01|"; content:"|00 00 40 00 01|"; fast_pattern; distance:3;
what does it mean ( I think):
- the “content” is everything, starting from “Domain Name System”
- the Transaction ID will always be unique, so not part of the suricata rule
- first content (00 01 00 00 00 00 00 01) = “questions”, “Answer RRs”, “Authorithy RRs”, “Additional RRs”
- the minimum valid domain length is 3, example “x.x”, hence “distance:3”
- second content (00 00 40 00 01) = “null termination of domain”, “query type”, “Class”
ideas? comments?