Snort mailing list archives
Re: DNS Packets
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 3 Jun 2013 09:46:23 -0400
On Jun 3, 2013, at 8:57 AM, Mikey van der Worp <mvdworp () utelisys com> wrote:
Hi there I’ve got several rules.. But non of them are working properly.. “How to detect a DNS Query Reply -> OK”.. This is something i’ve created a couple of days ago… Doesn’t work as it should be.. This detects “all querys”.. Even when its refused…
I would take the packet capture you have and throw it into wireshark and learn which bytes in the packet you have indicate a "Query Reply -> OK" response, and write a rule to detect that sequence of bytes. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- DNS Packets Mikey van der Worp (Jun 03)
- Re: DNS Packets Joel Esler (Jun 03)
- Re: DNS Packets Mikey van der Worp (Jun 03)
- Re: DNS Packets Michal Purzynski (Jun 03)
- [SPAM] Re: DNS Packets rmkml (Jun 03)
- Re: [SPAM] Re: DNS Packets Joel Esler (Jun 03)
- Re: [SPAM] Re: DNS Packets waldo kitty (Jun 03)
- [SPAM] Re: DNS Packets rmkml (Jun 03)
- Re: DNS Packets Joel Esler (Jun 03)