Snort mailing list archives
Re: Using DNS response fields in an alert msg
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 07 Jan 2015 08:30:59 -0700
On 2015-01-07 07:49 AM, Joel Esler (jesler) wrote:
We have
additional functionality being added to OpenAppId in 2.9.8 in DNS. I don't think it will answer your entire use case here though.
--
JOEL ESLER Sent from my iPhone
On Jan 7, 2015, at 8:23 AM, David
Longenecker <david () 7longeneckers com [2]> wrote:
Hi snort folks,
I'm looking for a bit of education. Forgive me if this is not the right forum for questions like this.
Over the holiday break, I spent some
time with snort and opendns, inspecting DNS responses to detect potential malicious activity on the local network. The idea was, opendns does a good job of *blocking* malicious content by responding with a warning landing page instead of the actual address; I can use that to *alert* when a blocked page is requested. I look for several known landing pages in the dns answer record, and trigger an alert.
It
works pretty well, with one shortcoming: the alerts identify the offending device, but not the name request. I have to go back to the packet capture afterward to determine the requested domain. Does anyone on this list have an example of snort parsing a dns response into its component name and address fields, and using these fields in the alert message?
Project description: http://dnlongen.blogspot.com/snort-dns
[1]
Just the rules:
https://github.com/dnlongen/snort-dns Situations like these might be well suited to bro-ids (bro-ids.org). An example log entry for a DNS request: 2015-01-07T06:42:17-0700 C3WrTrRg6VuKeUOf x.x.x.x 15175 203.84.221.53 53 udp 6316 weather.yahooapis.com 1 C_INTERNET 1 A 0 NOERROR T F F F 0 fd-geoycpi-uno.gycpi.b.yahoodns.net 300.000000 F James Links: ------ [1] http://dnlongen.blogspot.com/snort-dns [2] mailto:david () 7longeneckers com
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Using DNS response fields in an alert msg David Longenecker (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg Rodgers, Anthony (DTMB) (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg James Lay (Jan 07)
- Re: Using DNS response fields in an alert msg Mustafa Qasim (Jan 07)
- Re: Using DNS response fields in an alert msg Jason Haar (Jan 21)
- <Possible follow-ups>
- Re: Using DNS response fields in an alert msg David Longenecker (Jan 22)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 22)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)