[Snort-sigs] Odd Byte Tests in BLACKLIST DNS request for known malware domain rules

Christopher Granger chrisgrangerx at ...2420...
Thu Oct 13 22:26:20 EDT 2011


I just found this
http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf which clued
me in that the four byte tests done in most of the BLACKLIST DNS rules is
probably intended to be equivalent to the single byte test done in the TDL-4
rules, which appears to be a check for Opcodes not being set to 15?

Thanks again,
Chris

On Thu, Oct 13, 2011 at 10:06 PM, Christopher Granger <
chrisgrangerx at ...2420...> wrote:

> Hi,
>
> I noticed that for the "BLACKLIST DNS request for known malware domain"
> rules, some strange byte_test checks appear to be made. E.g. sid:16887,
>
> 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?
>
> 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)
>
> 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)
>
> 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)
>
> Most if not all of the "BLACKLIST DNS request for known malware domain"
> rules use these byte tests it appears, except for the TDL-4 rules, which
> appear to be testing for Opcodes not set to 15 (Reserved) -->
> byte_test:1,!&,0x78,2;
>
> Are these the intended checks for these rules?
>
> Thanks,
> Chris Granger
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111013/2f5cc7a0/attachment.html>


More information about the Snort-sigs mailing list