[Snort-users] How to use Snort to detect DNS reverse lookup queries

Qinwen Hu qhu009 at ...15379...
Tue Nov 26 17:03:38 EST 2013

Hi all,

I am a new snort use.  Currently, I am working on one project, we need use
Snort to read the pcap file and detect some packets that not send full DNS
reverse lookup message.

For example: (
this message is one completed reverse DNS lookup message).

But some packets look like

So, I just wondering, does snort has some features that detect the
particular patterns and count the payload size before this particular
pattern. For example, if I received the reverse DNS request,

I find the pattern “.ip6.arpa”, and then I can search how many bytes before
this pattern, in this example; we have 17 bytes before “.ip6.arpa”.

Does anybody have ideas? How to use snort to create this rule?

Many thanks


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131127/01585268/attachment.html>

More information about the Snort-users mailing list