-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdns_srv.yml
40 lines (39 loc) · 1.17 KB
/
dns_srv.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: DNS SRV Request
description: Check that at least one of the SRV servers are present in DNS response
to type SRV request is present in the flow.
requirements:
protocols: [dns]
marks: [dns]
pcap: dns_srv.pcap
probe:
protocols: [dns]
at_least_one: [dns_id, dns_flags, dns_req_query_type, dns_req_query_class, dns_req_query_name,
dns_resp_rcode, dns_resp_rr.name, dns_resp_rr.type, dns_resp_rr.class, dns_resp_rr.ttl,
dns_resp_rr.data, dns_resp_rr.flowmon_data]
flows:
- src_ip: 192.168.122.190
dst_ip: 192.168.122.189
ip_version: 4
protocol: 17
bytes: 83
bytes@rev: 131
packets: 1
packets@rev: 1
src_port: 55245
dst_port: 53
dns_id: 58778
_forward:
dns_flags: 0x0100
dns_req_query_type: 33
dns_req_query_class: 1
dns_req_query_name: _kerberos._udp.SAMBA.WINDOWS8.PRIVATE
_reverse:
dns_flags: 0x8580
dns_resp_rcode: 0
dns_resp_rr:
- name: _kerberos._udp.SAMBA.WINDOWS8.PRIVATE
type: 33
class: 1
ttl: 900
data: 0 100 88 s4dc1.samba.windows8.private
flowmon_data: '0x00000064005873346463312E73616D62612E77696E646F7773382E70726976617465'