[Snort-sigs] Odd Byte Tests in BLACKLIST DNS request for known malware domain rules
chrisgrangerx at ...2420...
Sat Oct 15 02:32:40 EDT 2011
I noticed that the somewhat counter-intuitive way byte_test works with
bitwise operators doesn't appear to be documented in the Users Manual. I did
find it in the referenced Snort webcast document (
http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf), and it
accounts for the equivalence of the two kinds of byte_tests in the BLACKLIST
known malware domain rules: "On any byte_test, a non-zero response is a
Could this please be added for inclusion in a future copy of the manual?
On Thu, Oct 13, 2011 at 10:51 PM, Christopher Granger <
chrisgrangerx at ...2420...> wrote:
> Sorry for the FP :) So they're equivalent checks that the Opcode = 0
> (Standard query)
> On Thu, Oct 13, 2011 at 10:26 PM, Christopher Granger <
> chrisgrangerx at ...2420...> wrote:
>> I just found this
>> http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf which
>> clued me in that the four byte tests done in most of the BLACKLIST DNS rules
>> is probably intended to be equivalent to the single byte test done in the
>> TDL-4 rules, which appears to be a check for Opcodes not being set to 15?
>> Thanks again,
>> On Thu, Oct 13, 2011 at 10:06 PM, Christopher Granger <
>> chrisgrangerx at ...2420...> wrote:
>>> I noticed that for the "BLACKLIST DNS request for known malware domain"
>>> rules, some strange byte_test checks appear to be made. E.g. sid:16887,
>>> 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?
>>> 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)
>>> 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)
>>> 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)
>>> Most if not all of the "BLACKLIST DNS request for known malware domain"
>>> rules use these byte tests it appears, except for the TDL-4 rules, which
>>> appear to be testing for Opcodes not set to 15 (Reserved) -->
>>> Are these the intended checks for these rules?
>>> Chris Granger
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs