[Snort-sigs] What's wrong with this rule?

Paul Schmehl pauls at ...1311...
Fri Aug 6 08:36:04 EDT 2004

I wrote a rule to capture udp/53 traffic from internal hosts to external 
hosts.  (We're trying to see if we have any "rogue" DNS servers on our 
campus.)  I didn't want to capture "legitimate" traffic, so I created a 
variable, GOOD_DNS which contains all our known DNS servers in it (var 
GOOD_DNS = [x.x.x.x/32,x.x.x.x/32])

Here's the rule that I wrote:

alert udp !$GOOD_DNS 53 -> $EXTERNAL_NET any (msg: "DNS Server response - 
possible rogue DNS server"; content: "|69 6E 2D 61 64
64 72 04 61 72 70 61|"; classtype:misc-activity; sid: 100000110; rev:1;)

But *all* the alerts this rule triggers are from ephemeral ports locally to 
port 53 external?  What the heck did I do wrong?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list