[Snort-users] DNS Packets

Joel Esler jesler at ...1935...
Mon Jun 3 09:46:23 EDT 2013


On Jun 3, 2013, at 8:57 AM, Mikey van der Worp <mvdworp at ...16336...> wrote:

> Hi there
>  
> I’ve got several rules.. But non of them are working properly..
>  
> “How to detect a DNS Query Reply -> OK”..
> This is something i’ve created a couple of days ago… Doesn’t work as it should be.. This detects “all querys”.. Even when its refused…

I would take the packet capture you have and throw it into wireshark and learn which bytes in the packet you have indicate a "Query Reply -> OK" response, and write a rule to detect that sequence of bytes.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130603/9073a905/attachment.html>


More information about the Snort-users mailing list