[Snort-devel] snort dns Preprocessor

rohan dora dora.rohan at ...2499...
Sat May 7 09:39:07 EDT 2016


Thanks Seshaiah,i have checked that too,as per your suggestion.
However,it is never printing REQUEST .
Does snort capture the packets that are sent out from the same machine ,it
is running(I have only 1 interface ,eth0),if so,then is it ignoring the DNS
requests or what could be the issue?
Thanks a lot

On Sat, May 7, 2016 at 6:51 PM, Seshaiah Erugu (serugu) <serugu at ...3461...>
wrote:

> Hi Rohan,
>
>
>
>
>
> Can you try with the packet direction flag ? Please print REQUEST if
> packet direction is from CLIENT.
>
>
>
>
>
> Thanks,
>
> Seshaiah Erugu.
>
>
>
> *From:* rohan dora [mailto:dora.rohan at ...2499...]
> *Sent:* Friday, May 06, 2016 4:47 PM
> *To:* Seshaiah Erugu (serugu) <serugu at ...3461...>
> *Cc:* snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-devel] snort dns Preprocessor
>
>
>
> Thanks Seshaiah, i have added code(Simple if condition) in ProcessDns to
> track DNS query.
>
>
>
> p = (SFSnortPacket*) packetPtr;
>
>
>
>    if(p->src_port==53) printf("DNS Response\n");
>
>    if(p->dst_port==53) printf("DNS Request\n");
>
>
>
> After adding , i do make,make install and then use nslookup to issue a DNS
> query.
>
>
>
> However, i never see "DNS Request" printed on console.
>
>
>
> So how will we track the DNS requests,because i think snort is handling
> packet sniffing/capture part(user needn't look for it).
>
>
>
> Please correct me if i am going wrong.
>
>
>
>
>
>
>
>
>
> On Fri, May 6, 2016 at 11:16 AM, Seshaiah Erugu (serugu) <serugu at ...3461...>
> wrote:
>
> Hi Rohan,
>
>
>
> As you said, currently DNS preprocessor inspecting/tracking responses from
> DNS server.
>
> If you want to track DNS queries from client to server, you can add code
> in spp_dns.c (PrcoessDNS function).
>
>
>
>
>
> Thanks,
>
> Seshaiah Erugu.
>
>
>
> *From:* rohan dora [mailto:dora.rohan at ...2499...]
> *Sent:* Friday, May 06, 2016 10:15 AM
> *To:* snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
> *Subject:* [Snort-devel] snort dns Preprocessor
>
>
>
> Hell0 all,
>
> I was browsing through the code of *DNS Dynamic preprocessor*(*spp_dns.c*)
> of Snort 2.9.1.
>
> *Objective*
>
> To count the number of DNS Queries that are made by my machine to DNS
> server(may be local/Remote doesn't matter).
>
> *Problem*
>
> Right now, DNS Dynamic preprocessor is able to track responses that are
> coming from DNS server to my machine,*however it is not able to track/see
> the DNS queries that my machine makes*.
>
> I know that DNS Preprocessor is meant for analysing the responses of
> Remote server,But i added some code(Some if conditions,print statements) to
> track DNS queries.
>
> Anyone ,having ideas what could be the problem or is this the right
> approach(modifying code in spp_dns.c) ?
>
> Thanks
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160507/acb6cc0a/attachment.html>


More information about the Snort-devel mailing list