[Snort-users] How to use Snort to detect DNS reverse lookup queries
qhu009 at ...15379...
Tue Nov 26 17:03:38 EST 2013
I am a new snort use. Currently, I am working on one project, we need use
Snort to read the pcap file and detect some packets that not send full DNS
reverse lookup message.
this message is one completed reverse DNS lookup message).
But some packets look like
So, I just wondering, does snort has some features that detect the
particular patterns and count the payload size before this particular
pattern. For example, if I received the reverse DNS request,
I find the pattern “.ip6.arpa”, and then I can search how many bytes before
this pattern, in this example; we have 17 bytes before “.ip6.arpa”.
Does anybody have ideas? How to use snort to create this rule?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users