8.19. LLMNR Keywords

Suricata supports sticky buffers for matching on specific fields in LLMNR (Link-Local Multicast Name Resolution) messages.

Note that sticky buffers are expected to be followed by one or more Payload Keywords.

8.19.1. llmnr.queries.rrname

llmnr.queries.rrname is a sticky buffer that is used to look at the name field in LLMNR query resource records.

llmnr.queries.rrname will look at both requests and responses, so flow is recommended to confine to a specific direction.

The buffer being matched on contains the complete re-assembled resource name, for example "workstation.local".

llmnr.queries.rrname supports Multiple Buffer Matching.

alert llmnr any any -> any 5355 (msg:"LLMNR query for workstation";

flow:to_server; llmnr.queries.rrname; content:"workstation"; nocase; sid:1;)

8.19.2. llmnr.answers.rrname

llmnr.answers.rrname is a sticky buffer that is used to look at the name field in LLMNR answer resource records.

llmnr.answers.rrname will look at both requests and responses, so flow is recommended to confine to a specific direction.

The buffer being matched on contains the complete re-assembled resource name, for example "server.local".

llmnr.answers.rrname supports Multiple Buffer Matching.

alert llmnr any 5355 -> any any (msg:"LLMNR answer for server.local";

flow:to_client; llmnr.answers.rrname; content:"server.local"; sid:2;)

8.19.3. llmnr.authorities.rrname

llmnr.authorities.rrname is a sticky buffer that is used to look at the rrname field in LLMNR authority resource records.

llmnr.authorities.rrname will look at both requests and responses, so flow is recommended to confine to a specific direction.

The buffer being matched on contains the complete re-assembled resource name, for example "local".

llmnr.authorities.rrname supports Multiple Buffer Matching.

alert llmnr any 5355 -> any any (msg:"LLMNR authority record check";

llmnr.authorities.rrname; content:"local"; sid:3;)

8.19.4. llmnr.additionals.rrname

llmnr.additionals.rrname is a sticky buffer that is used to look at the rrname field in LLMNR additional resource records.

llmnr.additionals.rrname will look at both requests and responses, so flow is recommended to confine to a specific direction.

The buffer being matched on contains the complete re-assembled resource name, for example "ns.local".

llmnr.additionals.rrname supports Multiple Buffer Matching.

alert llmnr any any -> any 5355 (msg:"LLMNR additional record check";

llmnr.additionals.rrname; content:"ns.local"; sid:4;)

8.19.5. llmnr.response.rrname

llmnr.response.rrname is a sticky buffer that is used to inspect all the rrname fields in a response, in the queries, answers, additionals and authorities. Additionally it will also inspect rdata fields that have the same format as an rrname (hostname).

rdata types that will be inspected are:

  • CNAME

  • PTR

  • MX

  • NS

  • SOA

alert llmnr any 5355 -> any any (msg:"LLMNR response contains suspicious domain";

flow:to_client; llmnr.response.rrname; content:"malicious"; nocase; sid:5;)