[Snort-users] [SPAM] Re: DNS Packets

rmkml rmkml at ...1855...
Mon Jun 3 15:11:08 EDT 2013


Hi Michal,

Please remove "priority:3;"

and please change sid to short like 10000002.

Info: change var to ipvar.

Please check snort cmd line with "-k none" for testing only.

Please check if you need "flow:from_server,established;" on your dns rule.

It's work on last v2.9.4.6.

Regards
@Rmkml


On Mon, 3 Jun 2013, Michal Purzynski wrote:

> On 6/3/13 2:57 PM, Mikey van der Worp wrote:
>
>       Hi there
>
>        
>
>       I’ve got several rules.. But non of them are working properly..
>
>        
>
>       “How to detect a DNS Query Reply -> OK”..
>
>       This is something i’ve created a couple of days ago… Doesn’t work as it should be.. This detects “all querys”.. Even when its refused…
>
>        Help please!
>        == EXAMPLE ==
>        var DNS_SERVERS [192.168.1.1]
>        var HOME_NETWORK [192.168.0.1/24]
>        alert udp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any 
(msg: " DNS Query resolved by unknown host."; priority:3;  sid:10000000002;)
>        == EXAMPLE ==
>
> 
> Have you born with it, or had an accident?
>
>        
>
>       DEBUG DATA ===
>
>       06/03-14:17:03.732308 50:3D:E5:AF:F1:80 -> 00:00:5E:00:01:50 type:0x800 len:0x149
>       127.0.0.1:53 -> 145.100.**.**:32559 UDP TTL:63 TOS:0x0 ID:34600 IpLen:20 DgmLen:315 Len: 287
>       23 EF 81 80 00 01 00 05 00 04 00 04 03 77 77 77  #............www
>       10 67 6F 6F 67 6C 65 61 64 73 65 72 76 69 63 65  .googleadservice
>       73 03 63 6F 6D 00 00 01 00 01 C0 0C 00 05 00 01  s.com...........
>       00 00 00 2B 00 1A 06 70 61 67 65 61 64 01 6C 0B  ...+...pagead.l.
>       64 6F 75 62 6C 65 63 6C 69 63 6B 03 6E 65 74 00  doubleclick.net.
>       C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9B  .6.......,..J}..
>       C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9A  .6.......,..J}..
>       C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9D  .6.......,..J}..
>       C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9C  .6.......,..J}..
>       C0 3D 00 02 00 01 00 05 40 13 00 0D 03 6E 73 32  .=...... at ...846....16371...
>       06 67 6F 6F 67 6C 65 C0 21 C0 3D 00 02 00 01 00  .google.!.=.....
>       05 40 13 00 06 03 6E 73 34 C0 A0 C0 3D 00 02 00  . at ...16372...=...
>       01 00 05 40 13 00 06 03 6E 73 31 C0 A0 C0 3D 00  ... at ...16378.....=.
>       02 00 01 00 05 40 13 00 06 03 6E 73 33 C0 A0 C0  ..... at ...16375...4...
>       C7 00 01 00 01 00 02 9D 11 00 04 D8 EF 20 0A C0  ............. ..
>       9C 00 01 00 01 00 02 9D 11 00 04 D8 EF 22 0A C0  ............."..
>       D9 00 01 00 01 00 02 9D 11 00 04 D8 EF 24 0A C0  .............$..
>       B5 00 01 00 01 00 02 9D 11 00 04 D8 EF 26 0A     .............&.
>
>       Sincerely yours,
>       Mikey


More information about the Snort-users mailing list