<div dir="ltr"><span style="font-size:12.8000001907349px">Thanks Seshaiah,i have checked that too,as per your suggestion.</span><br><div><span style="font-size:12.8000001907349px">However,it is never printing </span><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.6666669845581px">REQUEST .</span></div><div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.6666669845581px">Does snort capture the packets that are sent out from the same machine ,it is running(I have only 1 interface ,eth0),if so,then is it ignoring the DNS requests or what could be the issue?</span></div><div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.6666669845581px">Thanks a lot</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, May 7, 2016 at 6:51 PM, Seshaiah Erugu (serugu) <span dir="ltr"><<a href="mailto:serugu@...3461..." target="_blank">serugu@...3461...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi Rohan,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Can you try with the packet direction flag ? Please print REQUEST if packet direction is from CLIENT.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Seshaiah Erugu.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> rohan dora [mailto:<a href="mailto:dora.rohan@...2499..." target="_blank">dora.rohan@...2499...</a>]
<br>
<b>Sent:</b> Friday, May 06, 2016 4:47 PM<br>
<b>To:</b> Seshaiah Erugu (serugu) <<a href="mailto:serugu@...3461..." target="_blank">serugu@...3461...</a>><br>
<b>Cc:</b> <a href="mailto:snort-devel@lists.sourceforge.net" target="_blank">snort-devel@lists.sourceforge.net</a>; <a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a><br>
<b>Subject:</b> Re: [Snort-devel] snort dns Preprocessor<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Thanks Seshaiah, i have added code(Simple if condition) in ProcessDns to track DNS query.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">p = (SFSnortPacket*) packetPtr;<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">   if(p->src_port==53) printf("DNS Response\n");<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">   if(p->dst_port==53) printf("DNS Request\n");<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">After adding , i do make,make install and then use nslookup to issue a DNS query.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">However, i never see "DNS Request" printed on console.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">So how will we track the DNS requests,because i think snort is handling packet sniffing/capture part(user needn't look for it).<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Please correct me if i am going wrong.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Fri, May 6, 2016 at 11:16 AM, Seshaiah Erugu (serugu) <<a href="mailto:serugu@...3461..." target="_blank">serugu@...2981...461...</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi Rohan,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">As you said, currently DNS preprocessor inspecting/tracking responses from DNS server.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">If you want to track DNS queries from client to server, you can add code in spp_dns.c (PrcoessDNS function).</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Seshaiah Erugu.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> rohan dora [mailto:<a href="mailto:dora.rohan@...2499..." target="_blank">dora.rohan@...2499...</a>]
<br>
<b>Sent:</b> Friday, May 06, 2016 10:15 AM<br>
<b>To:</b> <a href="mailto:snort-devel@lists.sourceforge.net" target="_blank">snort-devel@lists.sourceforge.net</a>;
<a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a><br>
<b>Subject:</b> [Snort-devel] snort dns Preprocessor</span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" style="line-height:12.65pt">
<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#242729">Hell0 all,</span><u></u><u></u></p>
</td>
<td valign="top" style="padding:0in 11.25pt 0in 0in"></td>
<td valign="top" style="padding:0in 0in 0in 0in">
<div>
<div style="margin-bottom:3.75pt;word-wrap:break-word">
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#242729">I was browsing through the code of <strong><span style="font-family:"Arial",sans-serif;border:none windowtext 1.0pt;padding:0in">DNS Dynamic
 preprocessor</span></strong>(<strong><span style="font-family:"Arial",sans-serif;border:none windowtext 1.0pt;padding:0in">spp_dns.c</span></strong>) of Snort 2.9.1.</span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><strong><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#242729;border:none windowtext 1.0pt;padding:0in">Objective</span></strong><u></u><u></u></p>
<p style="margin-bottom:12.0pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#242729">To count the number of DNS Queries that are made by my machine to DNS server(may be local/Remote doesn't matter).</span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><strong><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#242729;border:none windowtext 1.0pt;padding:0in">Problem</span></strong><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#242729">Right now, DNS Dynamic preprocessor is able to track responses that are coming from DNS server to my machine,<strong><span style="font-family:"Arial",sans-serif;border:none windowtext 1.0pt;padding:0in">however
 it is not able to track/see the DNS queries that my machine makes</span></strong>.</span><u></u><u></u></p>
<p style="margin-bottom:12.0pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#242729">I know that DNS Preprocessor is meant for analysing the responses of Remote server,But i added some code(Some if conditions,print statements) to track
 DNS queries.</span><u></u><u></u></p>
<p style="margin-bottom:12.0pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#242729">Anyone ,having ideas what could be the problem or is this the right approach(modifying code in spp_dns.c) ?</span><u></u><u></u></p>
<p style="margin-bottom:12.0pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#242729">Thanks</span><u></u><u></u></p>
</div>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>

</blockquote></div><br></div>