id: ptr-fingerprint

info:
  name: PTR Detected
  author: pdteam
  severity: info
  description: A PTR record was detected. A PTR record refers to the domain name.
  classification:
    cwe-id: CWE-200
  metadata:
    max-request: 1
  tags: dns,ptr

dns:
  - name: "{{FQDN}}"
    type: PTR
    matchers:
      - type: regex
        part: answer
        regex:
          - "IN\tPTR\\t(.+)$"

    extractors:
      - type: regex
        group: 1
        regex:
          - "IN\tPTR\t(.+)"

# digest: 490a00463044022028a8f25e5f2d2d00e9aa403a801265be54f6889185388c416baef105d9b58193022011b971c138e5bf8e83bd52bc68b65f3c7ac9c81a43320629549465a1bc8be1d3:922c64590222798bb761d5b6d8e72950