DNS rule format feedback

[zoomequipd]

a couple of things regarding the dns rules

alert dns $HOME_NET any -> any any (msg:"AT Related Malicious Domain (www[.]enduluxe[.]com/) in DNS Lookup"; dns.query; content:"www.enduluxe.com"; isdataat:!1,relative; reference:url,phishstats.info; reference:url,github.com/julioliraup/Antiphishing; classtype:social-engineering; sid:6000016; rev:1; metadata: signature_severity Major;)

1. you might consider truncating www. off the domain and using dotprefix transformations and endswith modifier.

In many cases, domains controlled by phishing actors will setup several subdomains. For example in the referenced signature, this domain was observed with subdomain in the past (it was a LONG time ago, but proves the point nontheless) https://urlscan.io/search/#page.domain%3Aenduluxe.com

2. if the intention is to match "exact" domains, this is fine, but consider using the bsize modifier to actually make it exact.

3. defang domains by using a space instead of the [.] as per the [Suricata Community Style Guide
   (https://github.com/sidallocation/suricata-style-guide/blob/main/style-guide.md)

Defang domain names by using a space before the label separator to avoid accidental information leaks
   Example: Observed Malicious Win32/Badhombre DNS Query (tromf .mx)

4. remove the trailing / from the domain in the MSG
   www[.]enduluxe[.]com/ --> www[.]enduluxe[.]com

---

Proposed format of exact match

alert dns $HOME_NET any -> any any (msg:"AT Related Malicious Domain (www .enduluxe .com) in DNS Lookup"; dns.query; bsize:16; content:"www.enduluxe.com";  reference:url,phishstats.info; reference:url,github.com/julioliraup/Antiphishing; classtype:social-engineering; sid:6000016; rev:1; metadata: signature_severity Major;)

Proposed format of non-exact match

alert dns $HOME_NET any -> any any (msg:"AT Related Malicious Domain (www .enduluxe .com) in DNS Lookup"; dns.query; dotprefix; content:".enduluxe.com"; endswith; reference:url,phishstats.info; reference:url,github.com/julioliraup/Antiphishing; classtype:social-engineering; sid:6000016; rev:1; metadata: signature_severity Major;)

[zoomequipd]

you might consider truncating www. off the domain and using dotprefix transformations and endswith modifier.
In many cases, domains controlled by phishing actors will setup several subdomains. For example in the referenced signature, this domain was observed with subdomain in the past (it was a LONG time ago, but proves the point nonetheless) https://urlscan.io/search/#page.domain%3Aenduluxe.com

It looks like you do this with the TLS rules on thetls.sni buffer, so probably worth doing here as well. Same concept.

[julioliraup]

Gg, i'll apply its changes. About subdomains, I can't think of a solution that automatically removes the subdomain without affecting trusted sites like github.io, for example. I'll follow Suricata style guide!

[zoomequipd]

About subdomains, I can't think of a solution that automatically removes the subdomain without affecting trusted sites like github.io, for example.

you might check out the Public Suffix List, which is design to solve this problem. There are many python libraries that make use of it.

[julioliraup]

Do you think these changes address the points raised in your feedback? @zoomequipd

[zoomequipd]

Have you considered using urllib.parse to do your domain/path/etc extraction instead of manually parsing it?

[julioliraup]

Yes, I think it would be good for the future, if we were to add more complexity to the code it would be even better

[julioliraup]

you might check out the Public Suffix List, which is design to solve this problem. There are many python libraries that make use of it.

Thanks, I understand, but I need a whitelist to avoid false positives.

[julioliraup]

I can make it searching: if more than 3 subdomain of tld then make a rule