[Snort-users] Does Signature exist alert on DNS queries to a nameserver.
zultan at ...13388...
Mon Mar 6 13:00:01 EST 2006
Here's the basic syntax. Note the hex number between the pipes. It is the count of the number of following ASCII bytes. For example, freebeertoday.com would be |0d|freebeertoday|03|com
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"amazon.com DNS query"; content:"|06|amazon|03|com"; nocase;)
Sensor placement is critical for this to work. The senosr must be able to see the desktop ask its nameserver(s).
> ----- Original Message -----
> From: "Jacob, Raymond A Jr" <raymond.jacob at ...7622...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Does Signature exist alert on DNS queries to a nameserver.
> Date: Mon, 6 Mar 2006 13:14:03 -0500
> Does a signature exist to detect queries for hosts in specific domains to a
> specific name server?
> For example queries for amazon.com that are resolved by our local dns.
> Thank you
Play 100s of games for FREE! http://games.mail.com/
More information about the Snort-users