Snort mailing list archives
Advanced DNS rules
From: Curt Shaffer <cshaffer () gmail com>
Date: Sun, 19 Feb 2012 13:51:38 -0500
I'm looking for some information on way to look for malformed DNS packets. Mainly looking for large UDP requests (dsize:>512) that are NOT DNSSEC related, and a rule looking for the reserved flag (Z), reference here: http://www.networksorcery.com/enp/protocol/dns.htm#Z, in the DNS Flags field. I'm having trouble finding decent documentation. I have the following: Detects large packets, but want this to alert only if we are not using DNSSEC: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:" Inbound Large DNS Packet Detected NOT DNSSEC"; dsize:> 512; classtype:dns; sid:xxxxx; rev:1; ) The following I thought would work for the reserved bit (Z), but I am getting alerts even when the bit is not set: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Reserved Bit Set"; content:!"|00|"; offset:25; classtype:dns; sid:9000246; rev:1;) Can anyone point me at some documentation for Snort on these topics or lend a hand to help see what I'm missing? Thanks Curt ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Geoffrey Sanders (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 20)
- Re: Advanced DNS rules Mark Andrews (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Mark Andrews (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Geoffrey Sanders (Feb 19)