[Snort-devel] snort dns Preprocessor
Seshaiah Erugu (serugu)
serugu at ...3461...
Sat May 7 09:21:51 EDT 2016
Can you try with the packet direction flag ? Please print REQUEST if packet direction is from CLIENT.
From: rohan dora [mailto:dora.rohan at ...2499...]
Sent: Friday, May 06, 2016 4:47 PM
To: Seshaiah Erugu (serugu) <serugu at ...3461...>
Cc: snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
Subject: Re: [Snort-devel] snort dns Preprocessor
Thanks Seshaiah, i have added code(Simple if condition) in ProcessDns to track DNS query.
p = (SFSnortPacket*) packetPtr;
if(p->src_port==53) printf("DNS Response\n");
if(p->dst_port==53) printf("DNS Request\n");
After adding , i do make,make install and then use nslookup to issue a DNS query.
However, i never see "DNS Request" printed on console.
So how will we track the DNS requests,because i think snort is handling packet sniffing/capture part(user needn't look for it).
Please correct me if i am going wrong.
On Fri, May 6, 2016 at 11:16 AM, Seshaiah Erugu (serugu) <serugu at ...3461...<mailto:serugu at ...3461...>> wrote:
As you said, currently DNS preprocessor inspecting/tracking responses from DNS server.
If you want to track DNS queries from client to server, you can add code in spp_dns.c (PrcoessDNS function).
From: rohan dora [mailto:dora.rohan at ...2499...<mailto:dora.rohan at ...2499...>]
Sent: Friday, May 06, 2016 10:15 AM
To: snort-devel at lists.sourceforge.net<mailto:snort-devel at lists.sourceforge.net>; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-devel] snort dns Preprocessor
I was browsing through the code of DNS Dynamic preprocessor(spp_dns.c) of Snort 2.9.1.
To count the number of DNS Queries that are made by my machine to DNS server(may be local/Remote doesn't matter).
Right now, DNS Dynamic preprocessor is able to track responses that are coming from DNS server to my machine,however it is not able to track/see the DNS queries that my machine makes.
I know that DNS Preprocessor is meant for analysing the responses of Remote server,But i added some code(Some if conditions,print statements) to track DNS queries.
Anyone ,having ideas what could be the problem or is this the right approach(modifying code in spp_dns.c) ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel