Snort mailing list archives
[SPAM] Re: DNS Packets
From: rmkml <rmkml () yahoo fr>
Date: Mon, 3 Jun 2013 21:11:08 +0200 (CEST)
Hi Michal, Please remove "priority:3;" and please change sid to short like 10000002. Info: change var to ipvar. Please check snort cmd line with "-k none" for testing only. Please check if you need "flow:from_server,established;" on your dns rule. It's work on last v2.9.4.6. Regards @Rmkml On Mon, 3 Jun 2013, Michal Purzynski wrote:
On 6/3/13 2:57 PM, Mikey van der Worp wrote: Hi there I’ve got several rules.. But non of them are working properly.. “How to detect a DNS Query Reply -> OK”.. This is something i’ve created a couple of days ago… Doesn’t work as it should be.. This detects “all querys”.. Even when its refused… Help please! == EXAMPLE == var DNS_SERVERS [192.168.1.1] var HOME_NETWORK [192.168.0.1/24]alert udp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any
(msg: " DNS Query resolved by unknown host."; priority:3; sid:10000000002;)
== EXAMPLE == Have you born with it, or had an accident? DEBUG DATA === 06/03-14:17:03.732308 50:3D:E5:AF:F1:80 -> 00:00:5E:00:01:50 type:0x800 len:0x149 127.0.0.1:53 -> 145.100.**.**:32559 UDP TTL:63 TOS:0x0 ID:34600 IpLen:20 DgmLen:315 Len: 287 23 EF 81 80 00 01 00 05 00 04 00 04 03 77 77 77 #............www 10 67 6F 6F 67 6C 65 61 64 73 65 72 76 69 63 65 .googleadservice 73 03 63 6F 6D 00 00 01 00 01 C0 0C 00 05 00 01 s.com........... 00 00 00 2B 00 1A 06 70 61 67 65 61 64 01 6C 0B ...+...pagead.l. 64 6F 75 62 6C 65 63 6C 69 63 6B 03 6E 65 74 00 doubleclick.net. C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9B .6.......,..J}.. C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9A .6.......,..J}.. C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9D .6.......,..J}.. C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9C .6.......,..J}.. C0 3D 00 02 00 01 00 05 40 13 00 0D 03 6E 73 32 .=......@....ns2 06 67 6F 6F 67 6C 65 C0 21 C0 3D 00 02 00 01 00 .google.!.=..... 05 40 13 00 06 03 6E 73 34 C0 A0 C0 3D 00 02 00 .@....ns4...=... 01 00 05 40 13 00 06 03 6E 73 31 C0 A0 C0 3D 00 ...@....ns1...=. 02 00 01 00 05 40 13 00 06 03 6E 73 33 C0 A0 C0 .....@....ns3... C7 00 01 00 01 00 02 9D 11 00 04 D8 EF 20 0A C0 ............. .. 9C 00 01 00 01 00 02 9D 11 00 04 D8 EF 22 0A C0 .............".. D9 00 01 00 01 00 02 9D 11 00 04 D8 EF 24 0A C0 .............$.. B5 00 01 00 01 00 02 9D 11 00 04 D8 EF 26 0A .............&. Sincerely yours, Mikey
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- DNS Packets Mikey van der Worp (Jun 03)
- Re: DNS Packets Joel Esler (Jun 03)
- Re: DNS Packets Mikey van der Worp (Jun 03)
- Re: DNS Packets Michal Purzynski (Jun 03)
- [SPAM] Re: DNS Packets rmkml (Jun 03)
- Re: [SPAM] Re: DNS Packets Joel Esler (Jun 03)
- Re: [SPAM] Re: DNS Packets waldo kitty (Jun 03)
- [SPAM] Re: DNS Packets rmkml (Jun 03)
- Re: DNS Packets Joel Esler (Jun 03)