[Snort-users] tcp rules not working

Michael J. Sheldon msheldon at ...13552...
Wed Feb 15 17:23:00 EST 2017

I'm testing snort for use filtering DNS traffic. I have it set up using nfq inline

This rule works exactly as expected (drops requests for www.example.com):
drop udp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|03|www|07|example|03|com|00|"; nocase; offset:12; sid:3100001; rev:1;)

This rule also works (alerts for all tcp inbound):
alert tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST all tcp"; sid:3100003; rev:1;)

This rule does NOT work:
drop tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|07|example|03|com|00|"; nocase; offset:12; sid:3100002; rev:1;)

After a LOT of playing with the rules, no matter what, if the protocol is TCP, and there is a "content" parameter at all, the rule will not match. tried variations on flow (stateless, to_server, to_client, etc)

I've got to be missing something incredibly simple, but at this point, no idea what it is.

Michael Sheldon
Dev-DNS Services

More information about the Snort-users mailing list