[Snort-sigs] What's wrong with this rule?

Esler, Joel - Contractor joel.esler at ...783...
Fri Aug 6 08:52:06 EDT 2004

I guess my question is, why didn't you use !$DNS_SERVERS??

By taking a look at the rule name, "DNS Server Response"  means.. You
are looking for a DNS server that is NOT yours answering back to box in
your network.  Then it should be..

Alert udp !$DNS_SERVERS 53 -> $INTERNAL_NET any

??  Does this help?


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Paul
Sent: Friday, August 06, 2004 11:35 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] What's wrong with this rule?

I wrote a rule to capture udp/53 traffic from internal hosts to external

hosts.  (We're trying to see if we have any "rogue" DNS servers on our 
campus.)  I didn't want to capture "legitimate" traffic, so I created a 
variable, GOOD_DNS which contains all our known DNS servers in it (var 
GOOD_DNS = [x.x.x.x/32,x.x.x.x/32])

Here's the rule that I wrote:

alert udp !$GOOD_DNS 53 -> $EXTERNAL_NET any (msg: "DNS Server response
possible rogue DNS server"; content: "|69 6E 2D 61 64
64 72 04 61 72 70 61|"; classtype:misc-activity; sid: 100000110; rev:1;)

But *all* the alerts this rule triggers are from ephemeral ports locally
port 53 external?  What the heck did I do wrong?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list