[Snort-users] DNS Packets

Michal Purzynski michal at ...16244...
Mon Jun 3 12:24:31 EDT 2013


On 6/3/13 2:57 PM, Mikey van der Worp wrote:
>
> Hi there
>
> I've got several rules.. But non of them are working properly..
>
> "How to detect a DNS Query Reply -> OK"..
>
> This is something i've created a couple of days ago... Doesn't work as 
> it should be.. This detects "all querys".. Even when its refused...
>
*Have you born with it, or had an accident?*
> ****
>
> DEBUG DATA ===
>
> 06/03-14:17:03.732308 50:3D:E5:AF:F1:80 -> 00:00:5E:00:01:50 
> type:0x800 len:0x149
>
> 127.0.0.1:53 -> 145.100.**.**:32559 UDP TTL:63 TOS:0x0 ID:34600 
> IpLen:20 DgmLen:315 Len: 287
>
> 23 EF 81 80 00 01 00 05 00 04 00 04 03 77 77 77  #............www
>
> 10 67 6F 6F 67 6C 65 61 64 73 65 72 76 69 63 65  .googleadservice
>
> 73 03 63 6F 6D 00 00 01 00 01 C0 0C 00 05 00 01  s.com...........
>
> 00 00 00 2B 00 1A 06 70 61 67 65 61 64 01 6C 0B  ...+...pagead.l.
>
> 64 6F 75 62 6C 65 63 6C 69 63 6B 03 6E 65 74 00  doubleclick.net.
>
> C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9B  .6.......,..J}..
>
> C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9A  .6.......,..J}..
>
> C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9D  .6.......,..J}..
>
> C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9C  .6.......,..J}..
>
> C0 3D 00 02 00 01 00 05 40 13 00 0D 03 6E 73 32  .=...... at ...16371...
>
> 06 67 6F 6F 67 6C 65 C0 21 C0 3D 00 02 00 01 00  .google.!.=.....
>
> 05 40 13 00 06 03 6E 73 34 C0 A0 C0 3D 00 02 00  . at ...16372...=...
>
> 01 00 05 40 13 00 06 03 6E 73 31 C0 A0 C0 3D 00  ... at ...16373...=.
>
> 02 00 01 00 05 40 13 00 06 03 6E 73 33 C0 A0 C0  ..... at ...16374...
>
> C7 00 01 00 01 00 02 9D 11 00 04 D8 EF 20 0A C0  ............. ..
>
> 9C 00 01 00 01 00 02 9D 11 00 04 D8 EF 22 0A C0  ............."..
>
> D9 00 01 00 01 00 02 9D 11 00 04 D8 EF 24 0A C0  .............$..
>
> B5 00 01 00 01 00 02 9D 11 00 04 D8 EF 26 0A     .............&.
>
> Sincerely yours,
>
> Mikey
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130603/21061ec7/attachment.html>


More information about the Snort-users mailing list