[Snort-sigs] Odd Byte Tests in BLACKLIST DNS request for known malware domain rules

Joel Esler jesler at ...435...
Sat Oct 15 08:54:33 EDT 2011


Yup. I'll put it in a bug. Thanks. 

-- 
Joel Esler

On Oct 15, 2011, at 2:32 AM, Christopher Granger <chrisgrangerx at ...2420...> wrote:

> Hi VRT,
> 
> I noticed that the somewhat counter-intuitive way byte_test works with bitwise operators doesn't appear to be documented in the Users Manual. I did find it in the referenced Snort webcast document (http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf), and it accounts for the equivalence of the two kinds of byte_tests in the BLACKLIST known malware domain rules: "On any byte_test, a non-zero response is a success"
> 
> Could this please be added for inclusion in a future copy of the manual? 
> 
> Thank you,
> -Chris
> 
> On Thu, Oct 13, 2011 at 10:51 PM, Christopher Granger <chrisgrangerx at ...1447...420...> wrote:
> Sorry for the FP :) So they're equivalent checks that the Opcode = 0 (Standard query)
> 
> 
> On Thu, Oct 13, 2011 at 10:26 PM, Christopher Granger <chrisgrangerx at ...1447...420...> wrote:
> I just found this http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf which clued me in that the four byte tests done in most of the BLACKLIST DNS rules is probably intended to be equivalent to the single byte test done in the TDL-4 rules, which appears to be a check for Opcodes not being set to 15?
> 
> Thanks again,
> Chris 
> 
> 
> On Thu, Oct 13, 2011 at 10:06 PM, Christopher Granger <chrisgrangerx at ...1447...420...> wrote:
> Hi,
> 
> I noticed that for the "BLACKLIST DNS request for known malware domain" rules, some strange byte_test checks appear to be made. E.g. sid:16887, 
> 
> 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?
> 
> 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)
> 
> 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)
> 
> 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)
> 
> Most if not all of the "BLACKLIST DNS request for known malware domain" rules use these byte tests it appears, except for the TDL-4 rules, which appear to be testing for Opcodes not set to 15 (Reserved) --> byte_test:1,!&,0x78,2;
> 
> Are these the intended checks for these rules?
> 
> Thanks,
> Chris Granger
> 
> 
> 
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111015/16e20d53/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6362 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111015/16e20d53/attachment.bin>


More information about the Snort-sigs mailing list