[Snort-sigs] Advanced DNS rules

Geoffrey Sanders gtsanders_70 at ...144...
Sun Feb 19 15:12:54 EST 2012


I don't think you'll be able to accomplish your use case without bit masking. Think of it as using snort as a tcpdump filter.

http://vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html?m=1

- Geoff

On Feb 19, 2012, at 1:51 PM, Curt Shaffer <cshaffer at ...2420...> wrote:

> I'm looking for some information on way to look for malformed DNS
> packets. Mainly looking for large UDP requests (dsize:>512) that are
> NOT DNSSEC related, and a rule looking for the reserved flag (Z),
> reference here: http://www.networksorcery.com/enp/protocol/dns.htm#Z,
> in the DNS Flags field. I'm having trouble finding decent
> documentation. I have the following:
> 
> Detects large packets, but want this to alert only if we are not using DNSSEC:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:" Inbound Large DNS
> Packet Detected NOT DNSSEC";  dsize:> 512; classtype:dns;  sid:xxxxx;
> rev:1; )
> 
> The following I thought would work for the reserved bit (Z), but I am
> getting alerts even when the bit is not set:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Reserved Bit
> Set"; content:!"|00|"; offset:25; classtype:dns; sid:9000246; rev:1;)
> 
> Can anyone point me at some documentation for Snort on these topics or
> lend a hand to help see what I'm missing?
> 
> Thanks
> 
> Curt
> 
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing 
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list