[Snort-sigs] Odd Byte Tests in BLACKLIST DNS request for known malware domain rules

Christopher Granger chrisgrangerx at ...2420...
Sat Oct 15 02:32:40 EDT 2011


Hi VRT,

I noticed that the somewhat counter-intuitive way byte_test works with
bitwise operators doesn't appear to be documented in the Users Manual. I did
find it in the referenced Snort webcast document (
http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf), and it
accounts for the equivalence of the two kinds of byte_tests in the BLACKLIST
known malware domain rules: "On any byte_test, a non-zero response is a
success"

Could this please be added for inclusion in a future copy of the manual?

Thank you,
-Chris

On Thu, Oct 13, 2011 at 10:51 PM, Christopher Granger <
chrisgrangerx at ...2420...> wrote:

> Sorry for the FP :) So they're equivalent checks that the Opcode = 0
> (Standard query)
>
>
> On Thu, Oct 13, 2011 at 10:26 PM, Christopher Granger <
> chrisgrangerx at ...2420...> wrote:
>
>> I just found this
>> http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf which
>> clued me in that the four byte tests done in most of the BLACKLIST DNS rules
>> is probably intended to be equivalent to the single byte test done in the
>> TDL-4 rules, which appears to be a check for Opcodes not being set to 15?
>>
>> Thanks again,
>> Chris
>>
>>
>> On Thu, Oct 13, 2011 at 10:06 PM, Christopher Granger <
>> chrisgrangerx at ...2420...> wrote:
>>
>>> Hi,
>>>
>>> I noticed that for the "BLACKLIST DNS request for known malware domain"
>>> rules, some strange byte_test checks appear to be made. E.g. sid:16887,
>>>
>>> 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?
>>>
>>> 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)
>>>
>>> 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)
>>>
>>> 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)
>>>
>>> Most if not all of the "BLACKLIST DNS request for known malware domain"
>>> rules use these byte tests it appears, except for the TDL-4 rules, which
>>> appear to be testing for Opcodes not set to 15 (Reserved) -->
>>> byte_test:1,!&,0x78,2;
>>>
>>> Are these the intended checks for these rules?
>>>
>>> Thanks,
>>> Chris Granger
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111015/5c416232/attachment.html>


More information about the Snort-sigs mailing list