[Snort-users] [SPAM] Re: DNS Packets

Joel Esler jesler at ...1935...
Mon Jun 3 16:56:52 EDT 2013

On Jun 3, 2013, at 3:11 PM, rmkml <rmkml at ...1855...> wrote:

> Please remove "priority:3;"

Doesn't need to if he doesn't want to.

> and please change sid to short like 10000002.

Again, up to him and his numbering sequence.  Nothing wrong with that.

> Info: change var to ipvar.

Depends on his version of Snort.

> Please check snort cmd line with "-k none" for testing only.
> Please check if you need "flow:from_server,established;" on your dns rule.

Don't need established if you are doing a UDP rule.

Still doesn't solve his problems.

He's looking for someone to provide him the answer.  

Give a man the answer, and he’ll only have a temporary solution. Teach him the principles that led you to that answer, and he will be able to create his own solutions in the future.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

More information about the Snort-users mailing list