[Snort-users] Fwd: snort content matching rules

Jim Reprogle jim.reprogle at ...11827...
Thu May 8 15:36:37 EDT 2014


Dang it. Never mind. I fat-fingered the rule when I was testing your
suggested configuration. It's working. Thank you again for your most
gracious help.


On Thu, May 8, 2014 at 2:24 PM, Jim Reprogle <jim.reprogle at ...11827...> wrote:

> Thank you for your reply. You are correct. I'm just trying to test my
> installation and determine whether or not content matching rules are
> working. This is a relatively low traffic machine, and I just want to see
> if I can get reverse DNS (PTR) lookups to trigger an alert in snort. I've
> currently got a local rule that looks like this (taking your advice and
> looking for DNS query type 0x000c.)
>
> alert udp any any <> any 53 (msg:"DNS PTR Query"; content:"|00 0C|";
> rawbytes; sid:1000001; rev:1;)
>
> It's not working for me. I just don't get a good feeling that my
> installation is working without knowing that the content matching rules
> work, too. May I ask you for another suggestion I might try? Again, I am
> very grateful for the feedback and the help.
>
>
>
> On Thu, May 8, 2014 at 11:37 AM, Y M <snort at ...15979...> wrote:
>
>> The first rule works because you are not exactly looking for content
>> (payload), simply the rule says match on UDP traffic from any IP
>> address/port to any IP address on port 53 regardless what the packets
>> contain, which generally may be characterized as DNS traffic/service.
>>
>> In the second rule, you are trying to match DNS queries of type PTR or
>> reverse lookups based on content (payload) of the query. I am not sure what
>> payload you are trying to match on, but in general you should be looking at
>> the specific field/location within the packet that denotes the type PTR. I
>> cannot think of a way that you can easily always match on this as the
>> queried IP address/domain will have various lengths, not to mention it is
>> in reverse order making it not practical. That said, if you change your
>> content match to "|00 0C|" it may hit, though this approach is also not
>> practical and will generate lots of false positives.
>>
>> Hope this helps.
>>
>> ------------------------------
>> From: jim.reprogle at ...11827...
>> Date: Tue, 6 May 2014 16:53:20 -0500
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Fwd: snort content matching rules
>>
>> I'm new to using snort, so I've been looking around on the various
>> mailing lists, groups, archives, forums, etc. for an answer to what appears
>> to be an obvious question but for the life of me I can't find one.
>>
>> Hopefully this isn't something that's been beaten to death in other
>> threads, but here goes anyway.
>>
>> I've installed snort on a CentOS 6.4 machine and have gotten basic
>> alerting working. However, whenever I attempt a simple rule that looks at
>> the payload (content) of certain packets, that rule doesn't seem to work at
>> all.
>>
>> For example, this rule works all day long:
>> alert udp any any <> any 53 (msg:"DNS Query"; sid:1000001; rev:1;)
>>
>> However, if I try to make the rule match only on PTR lookups, it stops
>> working entirely.
>> alert udp any any <> any 53 (msg:"DNS Query"; content:"PTR
>> "; sid:1000001; rev:1;)
>>
>> I've tried rules using the rawbytes directive, and they don't seem to
>> work either. Please help me out here, as I'm certain that I've done
>> something painfully obvious to make these simple content rules not work.
>>
>>
>> ------------------------------------------------------------------------------
>> Is your legacy SCM system holding you back? Join Perforce May 7 to find
>> out: • 3 signs your SCM is hindering your productivity • Requirements for
>> releasing software faster • Expert tips and advice for migrating your SCM
>> now http://p.sf.net/sfu/perforce
>> _______________________________________________ Snort-users mailing list
>> Snort-users at lists.sourceforge.net Go to this URL to change user options
>> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit
>> http://blog.snort.org to stay current on all the latest Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140508/2d564f22/attachment.html>


More information about the Snort-users mailing list