File: mdns-keywords.rst

package info (click to toggle)
suricata 1%3A8.0.1-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 240,704 kB
  • sloc: ansic: 357,736; python: 8,721; sh: 5,043; makefile: 2,411; perl: 570; php: 170
file content (93 lines) | stat: -rw-r--r-- 2,689 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
mDNS Keywords
=============

Suricata supports sticky buffers for efficiently matching on specific
fields in mDNS (Multicast DNS) messages.

Note that sticky buffers are expected to be followed by one or more
:doc:`payload-keywords`.

mdns.queries.rrname
-------------------

``mdns.queries.rrname`` is a sticky buffer that is used to look at the
name field in mDNS query resource records.

The buffer being matched on contains the complete re-assembled
resource name, for example "host.local".

``mdns.queries.rrname`` supports :doc:`multi-buffer-matching`.

Example::

  alert udp any any -> any 5353 (msg:"mDNS query for .local domain"; \
      mdns.queries.rrname; content:".local"; sid:1;)

mdns.answers.rrname
-------------------

``mdns.answers.rrname`` is a sticky buffer that is used to look at the
name field in mDNS answer resource records.

The buffer being matched on contains the complete re-assembled
resource name, for example "printer.local".

``mdns.answers.rrname`` supports :doc:`multi-buffer-matching`.

Example::

  alert udp any 5353 -> any any (msg:"mDNS answer for printer.local"; \
      mdns.answers.rrname; content:"printer.local"; sid:2;)

mdns.authorities.rrname
-----------------------

``mdns.authorities.rrname`` is a sticky buffer that is used to look at the
rrname field in mDNS authority resource records.

The buffer being matched on contains the complete re-assembled
resource name, for example "device.local".

``mdns.authorities.rrname`` supports :doc:`multi-buffer-matching`.

Example::

  alert udp any 5353 -> any any (msg:"mDNS authority record check"; \
      mdns.authorities.rrname; content:"auth.local"; sid:3;)

mdns.additionals.rrname
-----------------------

``mdns.additionals.rrname`` is a sticky buffer that is used to look at
the rrname field in mDNS additional resource records.

The buffer being matched on contains the complete re-assembled
resource name, for example "service.local".

``mdns.additionals.rrname`` supports :doc:`multi-buffer-matching`.

Example::

  alert udp any any -> any 5353 (msg:"mDNS additional record check"; \
      mdns.additionals.rrname; content:"_companion-link._tcp.local"; nocase; sid:4;)

mdns.response.rrname
--------------------

``mdns.response.rrname`` is a sticky buffer that is used to inspect
all the rrname fields in a response, in the queries, answers,
additionals and authorities. Additionally it will also inspect rdata
fields that have the same format as an rrname (hostname).

``rdata`` types that will be inspected are:

* CNAME
* PTR
* MX
* NS
* SOA

Example::

  alert udp any 5353 -> any any (msg:"mDNS answer data match"; \
      mdns.response.rrname; content:"Apple TV"; sid:5;)