ContextQMD
Back to Suricata

mDNS Keywords

doc/userguide/rules/mdns-keywords.rst

latest2.6 KB
Original Source

mDNS Keywords

Suricata supports sticky buffers for efficiently matching on specific fields in mDNS (Multicast DNS) messages.

Note that sticky buffers are expected to be followed by one or more :doc:payload-keywords.

mdns.queries.rrname

mdns.queries.rrname is a sticky buffer that is used to look at the name field in mDNS query resource records.

The buffer being matched on contains the complete re-assembled resource name, for example "host.local".

mdns.queries.rrname supports :doc:multi-buffer-matching.

Example::

alert udp any any -> any 5353 (msg:"mDNS query for .local domain";
mdns.queries.rrname; content:".local"; sid:1;)

mdns.answers.rrname

mdns.answers.rrname is a sticky buffer that is used to look at the name field in mDNS answer resource records.

The buffer being matched on contains the complete re-assembled resource name, for example "printer.local".

mdns.answers.rrname supports :doc:multi-buffer-matching.

Example::

alert udp any 5353 -> any any (msg:"mDNS answer for printer.local";
mdns.answers.rrname; content:"printer.local"; sid:2;)

mdns.authorities.rrname

mdns.authorities.rrname is a sticky buffer that is used to look at the rrname field in mDNS authority resource records.

The buffer being matched on contains the complete re-assembled resource name, for example "device.local".

mdns.authorities.rrname supports :doc:multi-buffer-matching.

Example::

alert udp any 5353 -> any any (msg:"mDNS authority record check";
mdns.authorities.rrname; content:"auth.local"; sid:3;)

mdns.additionals.rrname

mdns.additionals.rrname is a sticky buffer that is used to look at the rrname field in mDNS additional resource records.

The buffer being matched on contains the complete re-assembled resource name, for example "service.local".

mdns.additionals.rrname supports :doc:multi-buffer-matching.

Example::

alert udp any any -> any 5353 (msg:"mDNS additional record check";
mdns.additionals.rrname; content:"_companion-link._tcp.local"; nocase; sid:4;)

mdns.response.rrname

mdns.response.rrname is a sticky buffer that is used to inspect all the rrname fields in a response, in the queries, answers, additionals and authorities. Additionally it will also inspect rdata fields that have the same format as an rrname (hostname).

rdata types that will be inspected are:

  • CNAME
  • PTR
  • MX
  • NS
  • SOA

Example::

alert udp any 5353 -> any any (msg:"mDNS answer data match";
mdns.response.rrname; content:"Apple TV"; sid:5;)