From: Victor Julien <victor@inliniac.net>
Date: Sat, 20 Apr 2013 17:38:43 +0000 (+0200)
Subject: DNS: add event rules file
X-Git-Tag: suricata-2.0beta1~74
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4f20f72f4d1cba9f3403f9dc8f6bad9bd6f63228;p=thirdparty%2Fsuricata.git

DNS: add event rules file
---

diff --git a/rules/dns.rules b/rules/dns.rules
new file mode 100644
index 0000000000..030628d56b
--- /dev/null
+++ b/rules/dns.rules
@@ -0,0 +1,11 @@
+# Response (answer) we didn't see a Request for. Could be packet loss.
+alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;)
+# Malformed data in request. Malformed means length fields are wrong, etc.
+alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;)
+alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;)
+# Response flag set on to_server packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;)
+# Response flag not set on to_client packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;)
+# Z flag (reserved) not 0
+alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)