diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2014-09-01 16:27:09 -0400 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2014-09-01 16:27:09 -0400 |
commit | 56f7c116d00eea10ef796ac41c477330a4d1daac (patch) | |
tree | 0203b1da8e5d8947002e2ad3a39e9e8cccad9754 /config/suricata/dns-events.rules | |
parent | 93b31c59eaa2dbde1720fa85ee42c53b46db2cab (diff) | |
download | pfsense-packages-56f7c116d00eea10ef796ac41c477330a4d1daac.tar.gz pfsense-packages-56f7c116d00eea10ef796ac41c477330a4d1daac.tar.bz2 pfsense-packages-56f7c116d00eea10ef796ac41c477330a4d1daac.zip |
Include new 'dns-events.rules' file for Suricata 2.0.3
Diffstat (limited to 'config/suricata/dns-events.rules')
-rw-r--r-- | config/suricata/dns-events.rules | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/config/suricata/dns-events.rules b/config/suricata/dns-events.rules new file mode 100644 index 00000000..693f2f1b --- /dev/null +++ b/config/suricata/dns-events.rules @@ -0,0 +1,15 @@ +# Response (answer) we didn't see a Request for. Could be packet loss. +alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;) +# Malformed data in request. Malformed means length fields are wrong, etc. +alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;) +alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;) +# Response flag set on to_server packet +alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;) +# Response flag not set on to_client packet +alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;) +# Z flag (reserved) not 0 +alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;) +# Request Flood Detected +alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;) +# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting. +alert dns any any -> any any (msg:"SURICATA DNS flow memcap reached"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:2;) |