[Snort-users] Alert on web traffic instead of IP Address?

Matt Olney molney at ...1935...
Wed Aug 12 21:08:32 EDT 2009

If you have a list of domains you know to be bad, you could alert on
the DNS lookup of those names.  Just make sure you check the DNS
protocol.  I don't have my notes here, but to block bad.com, I believe
it would be something like:

alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"Bad host name
detected"; flow: to_server; content:"|03|bad|03|com"; classtype:
bad-tarffic; sid: 10000000;)

Or something.  Unfortunately you need a separate rule for each domain,
the good news is that the format for DNS requests makes for a fairly
good fast-pattern match.

I think, haven't tested it, your mileage may very etc, ad nauseum


On Wed, Aug 12, 2009 at 8:56 PM, Jason Haar<Jason.Haar at ...294...> wrote:
> On 08/12/2009 02:40 AM, Joel Esler wrote:
>> Correct, it is *not* possible to put hostnames in a rule.  It's
>> probably better to write a rule on the content of the traffic than to
>> try and track an IP.
> More specifically, it would be *insane* for an IDS to do on-the-fly DNS
> lookups. Don't forget, if you have a rule that says "trigger an alert if
> someone connects to this.dns.host  and then...", then the IDS would have
> to do DNS lookups for EVERY packet - just in case it matched.
> Also, the IDS only sees the IP, so it could only do PTR lookups - which
> may not match the A record (certainly true in your case of fast flux)
> Same principle applies to firewalls. Firewalls that support DNS only
> means they do the DNS lookup ONCE at boot-time, then they match on IP
> address thereafter.
> If you can get your IDS in front of your DNS servers you may have a
> shot. You could write rules to trigger when anyone did the actual DNS
> lookup of such hosts...
> --
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list