dns_a.yml

name: DNS A Request
description: Check that at least one of the IPv4 addresses present in DNS response
  to type A request is present in the flow.
requirements:
  protocols: [dns]
marks: [dns]
pcap: dns_a.pcap
probe:
  protocols: [dns]
at_least_one: [dns_id, dns_flags, dns_req_query_type, dns_req_query_class, dns_req_query_name,
  dns_resp_rcode, dns_resp_rr.name, dns_resp_rr.type, dns_resp_rr.class, dns_resp_rr.ttl,
  dns_resp_rr.data, dns_resp_rr.flowmon_data]

flows:
  - src_ip: 192.168.21.89
    dst_ip: 192.168.197.92
    ip_version: 4
    protocol: 17
    bytes: 67
    bytes@rev: 99
    packets: 1
    packets@rev: 1
    src_port: 40980
    dst_port: 53
    dns_id: 14402
    _forward:
      dns_flags: 0x0100
      dns_req_query_type: 1
      dns_req_query_class: 1
      dns_req_query_name: newportconceptsla.com
    _reverse:
      dns_flags: 0x8180
      dns_resp_rcode: 0
      dns_resp_rr:
        - name: newportconceptsla.com
          type: 1
          class: 1
          ttl: 136
          data: 192.168.73.162
          flowmon_data: '0xC0A849A2'
        - name: newportconceptsla.com
          type: 1
          class: 1
          ttl: 136
          data: 192.168.215.181
          flowmon_data: '0xC0A8D7B5'