8.16. mDNS Keywords
Suricata supports sticky buffers for efficiently matching on specific fields in mDNS (Multicast DNS) messages.
Note that sticky buffers are expected to be followed by one or more Payload Keywords.
8.16.1. mdns.queries.rrname
mdns.queries.rrname is a sticky buffer that is used to look at the
name field in mDNS query resource records.
The buffer being matched on contains the complete re-assembled resource name, for example "host.local".
mdns.queries.rrname supports Multiple Buffer Matching.
Example:
alert udp any any -> any 5353 (msg:"mDNS query for .local domain"; \
mdns.queries.rrname; content:".local"; sid:1;)
8.16.2. mdns.answers.rrname
mdns.answers.rrname is a sticky buffer that is used to look at the
name field in mDNS answer resource records.
The buffer being matched on contains the complete re-assembled resource name, for example "printer.local".
mdns.answers.rrname supports Multiple Buffer Matching.
Example:
alert udp any 5353 -> any any (msg:"mDNS answer for printer.local"; \
mdns.answers.rrname; content:"printer.local"; sid:2;)
8.16.4. mdns.additionals.rrname
mdns.additionals.rrname is a sticky buffer that is used to look at
the rrname field in mDNS additional resource records.
The buffer being matched on contains the complete re-assembled resource name, for example "service.local".
mdns.additionals.rrname supports Multiple Buffer Matching.
Example:
alert udp any any -> any 5353 (msg:"mDNS additional record check"; \
mdns.additionals.rrname; content:"_companion-link._tcp.local"; nocase; sid:4;)
8.16.5. mdns.response.rrname
mdns.response.rrname is a sticky buffer that is used to inspect
all the rrname fields in a response, in the queries, answers,
additionals and authorities. Additionally it will also inspect rdata
fields that have the same format as an rrname (hostname).
rdata types that will be inspected are:
CNAME
PTR
MX
NS
SOA
Example:
alert udp any 5353 -> any any (msg:"mDNS answer data match"; \
mdns.response.rrname; content:"Apple TV"; sid:5;)