Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/symfony/6.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
如何在DNS rdata/IP地址上进行规则触发?_Dns_Snort_Suricata - Fatal编程技术网

如何在DNS rdata/IP地址上进行规则触发?

如何在DNS rdata/IP地址上进行规则触发?,dns,snort,suricata,Dns,Snort,Suricata,我目前在Suricata中设置了以下DNS查询警报规则(用于测试目的): 当它捕获包含单词“google”的DNS事件时,会触发此事件,例如在以下数据包中: {"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.1

我目前在Suricata中设置了以下DNS查询警报规则(用于测试目的):

当它捕获包含单词“google”的DNS事件时,会触发此事件,例如在以下数据包中:

{"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":52385,"proto":"UDP","dns":{"type":"answer","id":57334,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":300,"rdata":"172.217.12.164"}}
但是,我不想搜索包含“google”的资源记录名称,而是想在解析为环回的IP地址上使用这种相同的警报触发,就像下面的数据包一样(注意
rdata
字段):

正如我所注意到的,Suricata规则的
content
部分只搜索字符串。 我的当前规则在与rrname/domain的文本匹配上触发,如何使其在rdata/IP地址上触发

p、 美国。
出于好奇,我尝试用“127.0.0.1”替换警报内容部分中的“google”,但也没有像预期的那样起作用。

ip地址只是一个32位的数字。在规则中,IP应表示为十六进制值,而不是字符串,以提高效率和节省带宽(字符串将为8+字节,而不是4字节)

这是我的最后一条Surigata规则,每当有人被发送到我的网络上的环回时,都要发出警报:

alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)
{"timestamp":"2017-06-08T15:59:37.120927+0000","flow_id":36683121284050,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":62260,"proto":"UDP","dns":{"type":"answer","id":53553,"rcode":"NOERROR","rrname":"outlook1.us","rrtype":"A","ttl":120,"rdata":"127.0.0.1"}}
alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)