[Snort-devel] snort dns Preprocessor

Seshaiah Erugu (serugu) serugu at ...3461...
Mon May 9 07:04:30 EDT 2016


Hi Rohan,

I added the following code in ProcessDNS function and replayed the attached pcap.   I can see the count.

diff -d -u -r1.77.10.1 spp_dns.c
--- spp_dns.c   13 Apr 2016 15:55:53 -0000      1.77.10.1
+++ spp_dns.c   9 May 2016 11:02:48 -0000
@@ -1426,6 +1426,8 @@
     uint8_t known_port = 0;
     uint8_t direction = 0;
     SFSnortPacket* p;
+
+    static int REQ_COUNT = 0;
#ifdef TARGET_BASED
     int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
#endif
@@ -1574,6 +1576,12 @@
         return;
     }

+     if ( direction == DNS_DIR_FROM_CLIENT )
+     {
+           REQ_COUNT++;
+           _dpd.logMsg("\n \n \n DNS QUERY COUNT:%d \n \n \n \n ",REQ_COUNT);
+     }
+
     if (direction == DNS_DIR_FROM_SERVER)
     {
         ParseDNSResponseMessage(p, dnsSessionData);




Thanks,
Seshaiah Erugu.

From: rohan dora [mailto:dora.rohan at ...2499...]
Sent: Saturday, May 07, 2016 7:09 PM
To: Seshaiah Erugu (serugu) <serugu at ...3461...>
Cc: snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
Subject: Re: [Snort-devel] snort dns Preprocessor

Thanks Seshaiah,i have checked that too,as per your suggestion.
However,it is never printing REQUEST .
Does snort capture the packets that are sent out from the same machine ,it is running(I have only 1 interface ,eth0),if so,then is it ignoring the DNS requests or what could be the issue?
Thanks a lot

On Sat, May 7, 2016 at 6:51 PM, Seshaiah Erugu (serugu) <serugu at ...3461...<mailto:serugu at ...3461...>> wrote:
Hi Rohan,


Can you try with the packet direction flag ? Please print REQUEST if packet direction is from CLIENT.


Thanks,
Seshaiah Erugu.

From: rohan dora [mailto:dora.rohan at ...2499...<mailto:dora.rohan at ...2499...>]
Sent: Friday, May 06, 2016 4:47 PM
To: Seshaiah Erugu (serugu) <serugu at ...3461...<mailto:serugu at ...3461...>>
Cc: snort-devel at lists.sourceforge.net<mailto:snort-devel at lists.sourceforge.net>; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-devel] snort dns Preprocessor

Thanks Seshaiah, i have added code(Simple if condition) in ProcessDns to track DNS query.

p = (SFSnortPacket*) packetPtr;

   if(p->src_port==53) printf("DNS Response\n");
   if(p->dst_port==53) printf("DNS Request\n");

After adding , i do make,make install and then use nslookup to issue a DNS query.

However, i never see "DNS Request" printed on console.

So how will we track the DNS requests,because i think snort is handling packet sniffing/capture part(user needn't look for it).

Please correct me if i am going wrong.




On Fri, May 6, 2016 at 11:16 AM, Seshaiah Erugu (serugu) <serugu at ...3461...<mailto:serugu at ...3461...>> wrote:
Hi Rohan,

As you said, currently DNS preprocessor inspecting/tracking responses from DNS server.
If you want to track DNS queries from client to server, you can add code in spp_dns.c (PrcoessDNS function).


Thanks,
Seshaiah Erugu.

From: rohan dora [mailto:dora.rohan at ...2499...<mailto:dora.rohan at ...2499...>]
Sent: Friday, May 06, 2016 10:15 AM
To: snort-devel at lists.sourceforge.net<mailto:snort-devel at lists.sourceforge.net>; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-devel] snort dns Preprocessor

Hell0 all,


I was browsing through the code of DNS Dynamic preprocessor(spp_dns.c) of Snort 2.9.1.

Objective

To count the number of DNS Queries that are made by my machine to DNS server(may be local/Remote doesn't matter).

Problem

Right now, DNS Dynamic preprocessor is able to track responses that are coming from DNS server to my machine,however it is not able to track/see the DNS queries that my machine makes.

I know that DNS Preprocessor is meant for analysing the responses of Remote server,But i added some code(Some if conditions,print statements) to track DNS queries.

Anyone ,having ideas what could be the problem or is this the right approach(modifying code in spp_dns.c) ?

Thanks




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160509/59b9164f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chopped.dnsattack.pcap
Type: application/octet-stream
Size: 63636 bytes
Desc: chopped.dnsattack.pcap
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160509/59b9164f/attachment.obj>


More information about the Snort-devel mailing list