[Snort-users] How to use Snort to detect DNS reverse lookup queries

Qinwen Hu qhu009 at ...15379...
Tue Nov 26 17:03:38 EST 2013


Hi all,


I am a new snort use.  Currently, I am working on one project, we need use
Snort to read the pcap file and detect some packets that not send full DNS
reverse lookup message.


For example:

9.7.3.1.2.b.e.f.f.f.4.7.0.0.0.0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa (
this message is one completed reverse DNS lookup message).


But some packets look like

0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa


So, I just wondering, does snort has some features that detect the
particular patterns and count the payload size before this particular
pattern. For example, if I received the reverse DNS request,


0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa.


I find the pattern “.ip6.arpa”, and then I can search how many bytes before
this pattern, in this example; we have 17 bytes before “.ip6.arpa”.


Does anybody have ideas? How to use snort to create this rule?


Many thanks

Regards,

Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131127/01585268/attachment.html>


More information about the Snort-users mailing list