[Snort-users] [SPAM] Re: DNS Packets

Joel Esler jesler at ...1935...
Mon Jun 3 16:56:52 EDT 2013


On Jun 3, 2013, at 3:11 PM, rmkml <rmkml at ...1855...> wrote:

> Please remove "priority:3;"

Doesn't need to if he doesn't want to.

> 
> and please change sid to short like 10000002.

Again, up to him and his numbering sequence.  Nothing wrong with that.

> 
> Info: change var to ipvar.

Depends on his version of Snort.

> 
> Please check snort cmd line with "-k none" for testing only.
> 
> Please check if you need "flow:from_server,established;" on your dns rule.

Don't need established if you are doing a UDP rule.

Still doesn't solve his problems.

He's looking for someone to provide him the answer.  

Give a man the answer, and he’ll only have a temporary solution. Teach him the principles that led you to that answer, and he will be able to create his own solutions in the future.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Snort-users mailing list