[Snort-users] Alert on web traffic instead of IP Address?

Jason Haar Jason.Haar at ...294...
Wed Aug 12 20:56:06 EDT 2009

On 08/12/2009 02:40 AM, Joel Esler wrote:
> Correct, it is *not* possible to put hostnames in a rule.  It's
> probably better to write a rule on the content of the traffic than to
> try and track an IP.

More specifically, it would be *insane* for an IDS to do on-the-fly DNS
lookups. Don't forget, if you have a rule that says "trigger an alert if
someone connects to this.dns.host  and then...", then the IDS would have
to do DNS lookups for EVERY packet - just in case it matched.

Also, the IDS only sees the IP, so it could only do PTR lookups - which
may not match the A record (certainly true in your case of fast flux)
Same principle applies to firewalls. Firewalls that support DNS only
means they do the DNS lookup ONCE at boot-time, then they match on IP
address thereafter.

If you can get your IDS in front of your DNS servers you may have a
shot. You could write rules to trigger when anyone did the actual DNS
lookup of such hosts...


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list