1

I am new to working with IDS' such as Suricata/Snort. I am currently trying to using Suricata to log DNS requests and responses to malicious domains on my network. On my DNS server I made it so that any request to say, bad.com, would resolve to 127.0.0.1, thus not allowing anybody on my network to access that site.

I have set up Suricata to log all DNS requests, but how do I filter that down and narrow it and tell it to only log requests to 127.0.0.1 and let everything else go unlogged?

I tried to create a rule:

alert dns any any -> 127.0.0.1 any (msg: "BLACKLISTED WEBSITE"; flow:to_client; content:"rrname";sid:2240001;rev:1;)

But that did not work.

What do I need to do to only log DNS requests to certain IPs? I cannot find any information in the documentation or anywhere else on the internet.

Thanks.

Ahad Sheriff
  • 133
  • 9

1 Answers1

0

The ip address is just a 32 bit number. In the rule the IP should be represented as a hex value, and not a string, for purposes of efficiency and saving bandwidth (a string will be 8+ bytes as opposed to 4 bytes).

Here is my final Suricata rule to alert whenever somebody gets sent to loopback on my network:

alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)
Ahad Sheriff
  • 133
  • 9