Snort mailing list archives

Re: Using DNS response fields in an alert msg

From: "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>
Date: Wed, 7 Jan 2015 14:53:26 +0000

In similar vein, I'd love to do something with the "X-Forwarded-For" header field in HTTP traffic. For suspected 
infections, it's the proxy client I'm interested in remediating, not the proxy server itself.

Perhaps this is something to take to the oisf-users list.

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)

-----Original Message-----
From: lists () packetmail net [mailto:lists () packetmail net] 
Sent: Wednesday, January 07, 2015 09:06
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Using DNS response fields in an alert msg

On 01/07/2015 07:19 AM, David Longenecker wrote:

Does anyone on this list have an example of snort parsing a dns 
response into its component name and address fields, and using these fields in the alert message?

Sadly, for this use case this is simply something that Snort is not capable of doing. Perhaps something like Suricata
would be useful where you can couple the alert message to the DNS Log which would then provide you with the FQDN
requested? As of Suricata 2.0.2 "DNS TXT parsing and logging. Funded by Emerging Threats"

Cheers,
Nathan

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership
with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the conversation now.
http://goparallel.sourceforge.net _______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Using DNS response fields in an alert msg David Longenecker (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
  - Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
  - Re: Using DNS response fields in an alert msg Rodgers, Anthony (DTMB) (Jan 07)
    - Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
    - Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
  - Re: Using DNS response fields in an alert msg James Lay (Jan 07)
- Re: Using DNS response fields in an alert msg Mustafa Qasim (Jan 07)
- Re: Using DNS response fields in an alert msg Jason Haar (Jan 21)
- <Possible follow-ups>
- Re: Using DNS response fields in an alert msg David Longenecker (Jan 22)
  - Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 22)