[Snort-sigs] Odd Byte Tests in BLACKLIST DNS request for known malware domain rules

Christopher Granger chrisgrangerx at ...2420...
Thu Oct 13 22:51:27 EDT 2011


Sorry for the FP :) So they're equivalent checks that the Opcode = 0
(Standard query)

On Thu, Oct 13, 2011 at 10:26 PM, Christopher Granger <
chrisgrangerx at ...2420...> wrote:

> I just found this
> http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf which
> clued me in that the four byte tests done in most of the BLACKLIST DNS rules
> is probably intended to be equivalent to the single byte test done in the
> TDL-4 rules, which appears to be a check for Opcodes not being set to 15?
>
> Thanks again,
> Chris
>
>
> On Thu, Oct 13, 2011 at 10:06 PM, Christopher Granger <
> chrisgrangerx at ...2420...> wrote:
>
>> Hi,
>>
>> I noticed that for the "BLACKLIST DNS request for known malware domain"
>> rules, some strange byte_test checks appear to be made. E.g. sid:16887,
>>
>> 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?
>>
>> 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)
>>
>> 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)
>>
>> 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)
>>
>> Most if not all of the "BLACKLIST DNS request for known malware domain"
>> rules use these byte tests it appears, except for the TDL-4 rules, which
>> appear to be testing for Opcodes not set to 15 (Reserved) -->
>> byte_test:1,!&,0x78,2;
>>
>> Are these the intended checks for these rules?
>>
>> Thanks,
>> Chris Granger
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111013/eb5c3bba/attachment.html>


More information about the Snort-sigs mailing list