[Snort-users] Fwd: snort content matching rules

Jim Reprogle jim.reprogle at ...11827...
Tue May 6 17:53:20 EDT 2014


I'm new to using snort, so I've been looking around on the various mailing
lists, groups, archives, forums, etc. for an answer to what appears to be
an obvious question but for the life of me I can't find one.

Hopefully this isn't something that's been beaten to death in other
threads, but here goes anyway.

I've installed snort on a CentOS 6.4 machine and have gotten basic alerting
working. However, whenever I attempt a simple rule that looks at the
payload (content) of certain packets, that rule doesn't seem to work at all.

For example, this rule works all day long:
alert udp any any <> any 53 (msg:"DNS Query"; sid:1000001; rev:1;)

However, if I try to make the rule match only on PTR lookups, it stops
working entirely.
alert udp any any <> any 53 (msg:"DNS Query"; content:"PTR "; sid:1000001;
rev:1;)

I've tried rules using the rawbytes directive, and they don't seem to work
either. Please help me out here, as I'm certain that I've done something
painfully obvious to make these simple content rules not work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140506/7d9a26a9/attachment.html>


More information about the Snort-users mailing list