Advanced DNS rules

[Curt Shaffer <cshaffer () gmail com>]

I'm looking for some information on way to look for malformed DNS
packets. Mainly looking for large UDP requests (dsize:>512) that are
NOT DNSSEC related, and a rule looking for the reserved flag (Z),
reference here: http://www.networksorcery.com/enp/protocol/dns.htm#Z,
in the DNS Flags field. I'm having trouble finding decent
documentation. I have the following:

Detects large packets, but want this to alert only if we are not using DNSSEC:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:" Inbound Large DNS
Packet Detected NOT DNSSEC";  dsize:> 512; classtype:dns;  sid:xxxxx;
rev:1; )

The following I thought would work for the reserved bit (Z), but I am
getting alerts even when the bit is not set:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Reserved Bit
Set"; content:!"|00|"; offset:25; classtype:dns; sid:9000246; rev:1;)

Can anyone point me at some documentation for Snort on these topics or
lend a hand to help see what I'm missing?

Thanks

Curt

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!