[Snort-sigs] Odd Byte Tests in BLACKLIST DNS request for known malware domain rules

Christopher Granger chrisgrangerx at ...2420...
Thu Oct 13 22:06:13 EDT 2011


Hi,

I noticed that for the "BLACKLIST DNS request for known malware domain"
rules, some strange byte_test checks appear to be made. E.g. sid:16887,

1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?

2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)

3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)

4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)

Most if not all of the "BLACKLIST DNS request for known malware domain"
rules use these byte tests it appears, except for the TDL-4 rules, which
appear to be testing for Opcodes not set to 15 (Reserved) -->
byte_test:1,!&,0x78,2;

Are these the intended checks for these rules?

Thanks,
Chris Granger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111013/b55cee90/attachment.html>


More information about the Snort-sigs mailing list