[Snort-users] DNS Packets

Mikey van der Worp mvdworp at ...16336...
Mon Jun 3 09:53:03 EDT 2013


Thanks for the reply.

Does anybody  have any other solutions?
Because when i need to do this.. I need to setup an entire new environment with Virtual Servers etc etc.


Van: Joel Esler [mailto:jesler at ...1935...]
Verzonden: maandag 3 juni 2013 15:46
Aan: Mikey van der Worp
CC: snort-users at lists.sourceforge.net
Onderwerp: Re: [Snort-users] DNS Packets

On Jun 3, 2013, at 8:57 AM, Mikey van der Worp <mvdworp at ...16336...<mailto:mvdworp at ...16336...>> wrote:

Hi there

I've got several rules.. But non of them are working properly..

"How to detect a DNS Query Reply -> OK"..
This is something i've created a couple of days ago... Doesn't work as it should be.. This detects "all querys".. Even when its refused...

I would take the packet capture you have and throw it into wireshark and learn which bytes in the packet you have indicate a "Query Reply -> OK" response, and write a rule to detect that sequence of bytes.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130603/a526f3b2/attachment.html>

More information about the Snort-users mailing list