[Snort-devel] snort dns Preprocessor

rohan dora dora.rohan at ...2499...
Tue May 10 09:59:33 EDT 2016


Its very nice ,appreciable of you,for so much inputs and efforts.

I am in serious dilemma as to why my code isn't functioning properly(I am
using *snort 2.9.8.0 on ubuntu 14.04 32 bit*).


*Steps I took furthure.*


*1. *I ran snort in Sniffer mode (./snort -vd) and i noticed that all DNS
queries,responses are captured by snort.

*2. *Then,I added 2 rules in local.rules(uncommented local.rules in
snort.conf) to alert, when DNS queries are sent and When DNS responses
arrive from/to my machine.

And I found that alerts are working only for DNS responses(alerting on
console).


(Command used for running snort::sudo /usr/local/bin/snort -A console -q -u
snort -g snort -c /etc/snort/snort.conf -i eth1 ,this is the command i use
all the time)



*Rules Used::*

alert udp any 53 -> $HOME_NET any (msg:"dns_from_server";GID:2;
sid:10000002; rev:002; )

alert udp $HOME_NET any -> any 53 (msg:"dns_from_client";GID:21;
sid:100000021; rev:0021; )


Thanks a ton



On Mon, May 9, 2016 at 4:34 PM, Seshaiah Erugu (serugu) <serugu at ...3461...>
wrote:

> Hi Rohan,
>
>
>
> I added the following code in ProcessDNS function and replayed the
> attached pcap.   I can see the count.
>
>
>
> diff -d -u -r1.77.10.1 spp_dns.c
>
> --- spp_dns.c   13 Apr 2016 15:55:53 -0000      1.77.10.1
>
> +++ spp_dns.c   9 May 2016 11:02:48 -0000
>
> @@ -1426,6 +1426,8 @@
>
>      uint8_t known_port = 0;
>
>      uint8_t direction = 0;
>
>      SFSnortPacket* p;
>
> +
>
> +    static int REQ_COUNT = 0;
>
> #ifdef TARGET_BASED
>
>      int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
>
> #endif
>
> @@ -1574,6 +1576,12 @@
>
>          return;
>
>      }
>
>
>
> +     if ( direction == DNS_DIR_FROM_CLIENT )
>
> +     {
>
> +           REQ_COUNT++;
>
> +           _dpd.logMsg("\n \n \n DNS QUERY COUNT:%d \n \n \n \n
> ",REQ_COUNT);
>
> +     }
>
> +
>
>      if (direction == DNS_DIR_FROM_SERVER)
>
>      {
>
>          ParseDNSResponseMessage(p, dnsSessionData);
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Seshaiah Erugu.
>
>
>
> *From:* rohan dora [mailto:dora.rohan at ...2499...]
> *Sent:* Saturday, May 07, 2016 7:09 PM
>
> *To:* Seshaiah Erugu (serugu) <serugu at ...3461...>
> *Cc:* snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-devel] snort dns Preprocessor
>
>
>
> Thanks Seshaiah,i have checked that too,as per your suggestion.
>
> However,it is never printing REQUEST .
>
> Does snort capture the packets that are sent out from the same machine ,it
> is running(I have only 1 interface ,eth0),if so,then is it ignoring the DNS
> requests or what could be the issue?
>
> Thanks a lot
>
>
>
> On Sat, May 7, 2016 at 6:51 PM, Seshaiah Erugu (serugu) <serugu at ...3461...>
> wrote:
>
> Hi Rohan,
>
>
>
>
>
> Can you try with the packet direction flag ? Please print REQUEST if
> packet direction is from CLIENT.
>
>
>
>
>
> Thanks,
>
> Seshaiah Erugu.
>
>
>
> *From:* rohan dora [mailto:dora.rohan at ...2499...]
> *Sent:* Friday, May 06, 2016 4:47 PM
> *To:* Seshaiah Erugu (serugu) <serugu at ...3461...>
> *Cc:* snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-devel] snort dns Preprocessor
>
>
>
> Thanks Seshaiah, i have added code(Simple if condition) in ProcessDns to
> track DNS query.
>
>
>
> p = (SFSnortPacket*) packetPtr;
>
>
>
>    if(p->src_port==53) printf("DNS Response\n");
>
>    if(p->dst_port==53) printf("DNS Request\n");
>
>
>
> After adding , i do make,make install and then use nslookup to issue a DNS
> query.
>
>
>
> However, i never see "DNS Request" printed on console.
>
>
>
> So how will we track the DNS requests,because i think snort is handling
> packet sniffing/capture part(user needn't look for it).
>
>
>
> Please correct me if i am going wrong.
>
>
>
>
>
>
>
>
>
> On Fri, May 6, 2016 at 11:16 AM, Seshaiah Erugu (serugu) <serugu at ...3461...>
> wrote:
>
> Hi Rohan,
>
>
>
> As you said, currently DNS preprocessor inspecting/tracking responses from
> DNS server.
>
> If you want to track DNS queries from client to server, you can add code
> in spp_dns.c (PrcoessDNS function).
>
>
>
>
>
> Thanks,
>
> Seshaiah Erugu.
>
>
>
> *From:* rohan dora [mailto:dora.rohan at ...2499...]
> *Sent:* Friday, May 06, 2016 10:15 AM
> *To:* snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
> *Subject:* [Snort-devel] snort dns Preprocessor
>
>
>
> Hell0 all,
>
> I was browsing through the code of *DNS Dynamic preprocessor*(*spp_dns.c*)
> of Snort 2.9.1.
>
> *Objective*
>
> To count the number of DNS Queries that are made by my machine to DNS
> server(may be local/Remote doesn't matter).
>
> *Problem*
>
> Right now, DNS Dynamic preprocessor is able to track responses that are
> coming from DNS server to my machine,*however it is not able to track/see
> the DNS queries that my machine makes*.
>
> I know that DNS Preprocessor is meant for analysing the responses of
> Remote server,But i added some code(Some if conditions,print statements) to
> track DNS queries.
>
> Anyone ,having ideas what could be the problem or is this the right
> approach(modifying code in spp_dns.c) ?
>
> Thanks
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160510/70e66648/attachment.html>


More information about the Snort-devel mailing list