[Snort-devel] snort dns Preprocessor

rohan dora dora.rohan at ...2499...
Fri May 6 07:16:56 EDT 2016


Thanks Seshaiah, i have added code(Simple if condition) in ProcessDns to
track DNS query.

p = (SFSnortPacket*) packetPtr;

   if(p->src_port==53) printf("DNS Response\n");
   if(p->dst_port==53) printf("DNS Request\n");

After adding , i do make,make install and then use nslookup to issue a DNS
query.

However, i never see "DNS Request" printed on console.

So how will we track the DNS requests,because i think snort is handling
packet sniffing/capture part(user needn't look for it).

Please correct me if i am going wrong.




On Fri, May 6, 2016 at 11:16 AM, Seshaiah Erugu (serugu) <serugu at ...3461...>
wrote:

> Hi Rohan,
>
>
>
> As you said, currently DNS preprocessor inspecting/tracking responses from
> DNS server.
>
> If you want to track DNS queries from client to server, you can add code
> in spp_dns.c (PrcoessDNS function).
>
>
>
>
>
> Thanks,
>
> Seshaiah Erugu.
>
>
>
> *From:* rohan dora [mailto:dora.rohan at ...2499...]
> *Sent:* Friday, May 06, 2016 10:15 AM
> *To:* snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
> *Subject:* [Snort-devel] snort dns Preprocessor
>
>
>
> Hell0 all,
>
> I was browsing through the code of *DNS Dynamic preprocessor*(*spp_dns.c*)
> of Snort 2.9.1.
>
> *Objective*
>
> To count the number of DNS Queries that are made by my machine to DNS
> server(may be local/Remote doesn't matter).
>
> *Problem*
>
> Right now, DNS Dynamic preprocessor is able to track responses that are
> coming from DNS server to my machine,*however it is not able to track/see
> the DNS queries that my machine makes*.
>
> I know that DNS Preprocessor is meant for analysing the responses of
> Remote server,But i added some code(Some if conditions,print statements) to
> track DNS queries.
>
> Anyone ,having ideas what could be the problem or is this the right
> approach(modifying code in spp_dns.c) ?
>
> Thanks
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160506/a128928d/attachment.html>


More information about the Snort-devel mailing list