[Snort-sigs] What's wrong with this rule?

sekure sekure at ...2420...
Fri Aug 6 10:22:00 EDT 2004


Perhaps your $EXTERNAL_NET is not defined properly.  
If it's just defined as "any" then it'll include internal hosts in it
and you'll capture traffice from ANY DNS server (except the GOOD_DNS)
to any host.
If it's defined as "!$HOME_NET" then make sure that $HOME_NET includes
ALL of the internal hosts.

Other than that, i think it looks good.

On Fri, 06 Aug 2004 10:35:14 -0500, Paul Schmehl <pauls at ...1311...> wrote:
> I wrote a rule to capture udp/53 traffic from internal hosts to external
> hosts.  (We're trying to see if we have any "rogue" DNS servers on our
> campus.)  I didn't want to capture "legitimate" traffic, so I created a
> variable, GOOD_DNS which contains all our known DNS servers in it (var
> GOOD_DNS = [x.x.x.x/32,x.x.x.x/32])
> 
> Here's the rule that I wrote:
> 
> alert udp !$GOOD_DNS 53 -> $EXTERNAL_NET any (msg: "DNS Server response -
> possible rogue DNS server"; content: "|69 6E 2D 61 64
> 64 72 04 61 72 70 61|"; classtype:misc-activity; sid: 100000110; rev:1;)
> 
> But *all* the alerts this rule triggers are from ephemeral ports locally to
> port 53 external?  What the heck did I do wrong?
> 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list