[Snort-users] tcp rules not working
Michael J. Sheldon
msheldon at ...13552...
Wed Feb 15 17:23:00 EST 2017
I'm testing snort for use filtering DNS traffic. I have it set up using nfq inline
This rule works exactly as expected (drops requests for www.example.com):
drop udp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|03|www|07|example|03|com|00|"; nocase; offset:12; sid:3100001; rev:1;)
This rule also works (alerts for all tcp inbound):
alert tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST all tcp"; sid:3100003; rev:1;)
This rule does NOT work:
drop tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|07|example|03|com|00|"; nocase; offset:12; sid:3100002; rev:1;)
After a LOT of playing with the rules, no matter what, if the protocol is TCP, and there is a "content" parameter at all, the rule will not match. tried variations on flow (stateless, to_server, to_client, etc)
I've got to be missing something incredibly simple, but at this point, no idea what it is.
More information about the Snort-users