[Snort-users] Alert on web traffic instead of IP Address?

CunningPike cunningpike at ...11827...
Thu Aug 13 15:57:53 EDT 2009


Why not simply blackhole the domains in your DNS?

CP

On Wed, Aug 12, 2009 at 6:08 PM, Matt Olney <molney at ...1935...> wrote:

> If you have a list of domains you know to be bad, you could alert on
> the DNS lookup of those names.  Just make sure you check the DNS
> protocol.  I don't have my notes here, but to block bad.com, I believe
> it would be something like:
>
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"Bad host name
> detected"; flow: to_server; content:"|03|bad|03|com"; classtype:
> bad-tarffic; sid: 10000000;)
>
> Or something.  Unfortunately you need a separate rule for each domain,
> the good news is that the format for DNS requests makes for a fairly
> good fast-pattern match.
>
> I think, haven't tested it, your mileage may very etc, ad nauseum
>
> Matt
>
> On Wed, Aug 12, 2009 at 8:56 PM, Jason Haar<Jason.Haar at ...294...>
> wrote:
> > On 08/12/2009 02:40 AM, Joel Esler wrote:
> >> Correct, it is *not* possible to put hostnames in a rule.  It's
> >> probably better to write a rule on the content of the traffic than to
> >> try and track an IP.
> >>
> >
> > More specifically, it would be *insane* for an IDS to do on-the-fly DNS
> > lookups. Don't forget, if you have a rule that says "trigger an alert if
> > someone connects to this.dns.host  and then...", then the IDS would have
> > to do DNS lookups for EVERY packet - just in case it matched.
> >
> > Also, the IDS only sees the IP, so it could only do PTR lookups - which
> > may not match the A record (certainly true in your case of fast flux)
> > Same principle applies to firewalls. Firewalls that support DNS only
> > means they do the DNS lookup ONCE at boot-time, then they match on IP
> > address thereafter.
> >
> > If you can get your IDS in front of your DNS servers you may have a
> > shot. You could write rules to trigger when anyone did the actual DNS
> > lookup of such hosts...
> >
> > --
> > Cheers
> >
> > Jason Haar
> > Information Security Manager, Trimble Navigation Ltd.
> > Phone: +64 3 9635 377 Fax: +64 3 9635 417
> > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> >
> >
> >
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090813/035e537a/attachment.html>


More information about the Snort-users mailing list