[Snort-sigs] What's wrong with this rule?
pauls at ...1311...
Fri Aug 6 08:36:04 EDT 2004
I wrote a rule to capture udp/53 traffic from internal hosts to external
hosts. (We're trying to see if we have any "rogue" DNS servers on our
campus.) I didn't want to capture "legitimate" traffic, so I created a
variable, GOOD_DNS which contains all our known DNS servers in it (var
GOOD_DNS = [x.x.x.x/32,x.x.x.x/32])
Here's the rule that I wrote:
alert udp !$GOOD_DNS 53 -> $EXTERNAL_NET any (msg: "DNS Server response -
possible rogue DNS server"; content: "|69 6E 2D 61 64
64 72 04 61 72 70 61|"; classtype:misc-activity; sid: 100000110; rev:1;)
But *all* the alerts this rule triggers are from ephemeral ports locally to
port 53 external? What the heck did I do wrong?
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-sigs