What is the "Large" threshold for ET Malware Large DNS Query possible cover channel per image below

stanwij1

Wonder if anyone can answer this question, see a lot of these and trying to find what the threshhold is for suricate to determine "Large" See image

bmeeks

You will need to go ask the author of that particular rule: SID 2013075 authored by the Emerging Threats team. Suricata itself has no setting for that. It is completely up the rule to set its own detection limits. If you view the full rule text you can probably decipher the value,

JonathanLee

@stanwij1 I wonder if that is port 53 or DoH

jpgpi250

@stanwij1
https://chatgpt.com/

what is suricata rule 2013075

Suricata rule 2013075 is a rule designed to detect network traffic associated with the C&C (Command and Control) communication of malware. Specifically, this rule is meant to detect possible communications from a malware sample to a command and control server using HTTP as the communication protocol.

The rule is part of Suricata’s signature-based detection for potential malicious activity. In this case, it focuses on identifying unusual or suspicious HTTP traffic patterns, often tied to botnets or other forms of malware that rely on HTTP-based C&C communications.

what is suricata rule "ET MALWARE Large DNS Query possible covert channel"

The Suricata rule "ET MALWARE Large DNS Query possible covert channel" is a rule designed to detect potential malware activity that uses DNS queries as a covert communication channel.

Explanation:
ET MALWARE: This indicates that the rule is part of the "Emerging Threats" (ET) signature set, which focuses on detecting malware-related traffic or behavior.
Large DNS Query: This suggests that the DNS query in question is unusually large. DNS queries typically contain small amounts of data (like domain names), but in some cases, malware might use DNS queries with larger payloads, which can be a sign of malicious activity.
Possible Covert Channel: A covert channel refers to a method used by malware to bypass security mechanisms by hiding data inside legitimate traffic. DNS, being a commonly used protocol for legitimate purposes, can sometimes be exploited by attackers to transmit data or control commands stealthily.
Why It’s Important:
Malware can use DNS queries to communicate with a command-and-control (C&C) server, exfiltrate data, or receive instructions. By embedding large or unusual data in DNS queries, attackers can avoid detection by blending in with normal DNS traffic. This rule is designed to catch those suspicious large DNS queries, which could indicate that such covert communication is taking place.

How It Works:
The rule triggers when a DNS query exceeds a certain size threshold, as large queries are unusual and could signal that the DNS protocol is being used for non-standard, potentially malicious purposes.
It is part of a broader effort to detect "DNS tunneling," a technique where attackers use DNS to bypass network filters or firewalls.
In summary, the "ET MALWARE Large DNS Query possible covert channel" rule is meant to flag large DNS queries, which could be indicative of malware trying to communicate or exfiltrate data in a covert manner using DNS.