[Snort-users] DNS Packets

Mikey van der Worp mvdworp at ...16336...
Mon Jun 3 08:57:45 EDT 2013


Hi there

I've got several rules.. But non of them are working properly..

"How to detect a DNS Query Reply -> OK"..
This is something i've created a couple of days ago... Doesn't work as it should be.. This detects "all querys".. Even when its refused...

Help please!

== EXAMPLE ==

var DNS_SERVERS [192.168.1.1]
var HOME_NETWORK [192.168.0.1/24]
alert udp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any (msg: " DNS Query resolved by unknown host."; priority:3;  sid:10000000002;)

== EXAMPLE ==

DEBUG DATA ===
06/03-14:17:03.732308 50:3D:E5:AF:F1:80 -> 00:00:5E:00:01:50 type:0x800 len:0x149
127.0.0.1:53 -> 145.100.**.**:32559 UDP TTL:63 TOS:0x0 ID:34600 IpLen:20 DgmLen:315 Len: 287
23 EF 81 80 00 01 00 05 00 04 00 04 03 77 77 77  #............www
10 67 6F 6F 67 6C 65 61 64 73 65 72 76 69 63 65  .googleadservice
73 03 63 6F 6D 00 00 01 00 01 C0 0C 00 05 00 01  s.com...........
00 00 00 2B 00 1A 06 70 61 67 65 61 64 01 6C 0B  ...+...pagead.l.
64 6F 75 62 6C 65 63 6C 69 63 6B 03 6E 65 74 00  doubleclick.net.
C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9B  .6.......,..J}..
C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9A  .6.......,..J}..
C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9D  .6.......,..J}..
C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9C  .6.......,..J}..
C0 3D 00 02 00 01 00 05 40 13 00 0D 03 6E 73 32  .=...... at ...16371...
06 67 6F 6F 67 6C 65 C0 21 C0 3D 00 02 00 01 00  .google.!.=.....
05 40 13 00 06 03 6E 73 34 C0 A0 C0 3D 00 02 00  . at ...16372...=...
01 00 05 40 13 00 06 03 6E 73 31 C0 A0 C0 3D 00  ... at ...16373...=.
02 00 01 00 05 40 13 00 06 03 6E 73 33 C0 A0 C0  ..... at ...16374...
C7 00 01 00 01 00 02 9D 11 00 04 D8 EF 20 0A C0  ............. ..
9C 00 01 00 01 00 02 9D 11 00 04 D8 EF 22 0A C0  ............."..
D9 00 01 00 01 00 02 9D 11 00 04 D8 EF 24 0A C0  .............$..
B5 00 01 00 01 00 02 9D 11 00 04 D8 EF 26 0A     .............&.

Sincerely yours,
Mikey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130603/76fa0e17/attachment.html>


More information about the Snort-users mailing list