Re: DNS Rules

[Shirkdog <shirkdog () gmail com>]

Yes, it is the number of bytes in the name, so it would be this

|04|this|0C|has-inside|03|com|00|

---
Michael Shirk


On Fri, Mar 4, 2016 at 9:20 AM, Luke Ager <luke.ager () icloud com> wrote:
> Thanks that's great.
>
> also, what if the domian has a - in it...
>
> some examples ive seen use the |0C| to denote this.
>
> If there is a - do you exlude the length and just put |0C| before that part
> of the domain name for instance.
>
> This.has-inside.com
>
> would be
>
> |4|this|0C|has-inside|03|.com|00|
>
> thanks
> Sent from my iPhone
>
> On 4 Mar 2016, at 14:07, Shirkdog <shirkdog () gmail com> wrote:
>
> This is a part of the DNS protocol for the standard notation of names.
> This website explains it nicely:
>
> http://www.tcpipguide.com/free/t_DNSNameNotationandMessageCompressionTechnique.htm
>
>
> ---
> Michael Shirk
>
>
> On Fri, Mar 4, 2016 at 3:08 AM, Luke Ager <luke.ager () icloud com> wrote:
>
> Hi I have wrote rules to detect DNS requests for bad domains before and
>
> usually have only been a single . in the name such as baddomain.com and when
>
> i write the rule i use baddomain|03|com or something similar.
>
>
> I want to detect some domians which have 2 dots in them, or subdomians such
>
> as bad.domain.com so i looked at some exisitng snort rules and noticed |03|
>
> is not always used to represent the . character.
>
>
> here are some examples.
>
>
> alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
>
> bitcoin domain dnsseed.litecointools.com"; flow:to_server;
>
> byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0D|litecointools|03|com|00|";
>
> fast_pattern:only; metadata:service dns; classtype:policy-violation;
>
> sid:30859; rev:1; )
>
>
>    alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
>
> bitcoin domain dnsseed.ltc.xurious.com"; flow:to_server;
>
> byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|ltc|07|xurious|03|com|00|";
>
> fast_pattern:only; metadata:service dns; classtype:policy-violation;
>
> sid:30860; rev:1; )
>
>
>    alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
>
> bitcoin domain seed.ppcoin.net"; flow:to_server; byte_test:1,!&,0xF8,2;
>
> content:"|04|seed|06|ppcoin|03|net|00|"; fast_pattern:only; metadata:service
>
> dns; classtype:policy-violation; sid:30870; rev:1; )
>
>
> How should I/What characters should I use to represent the . earlier in the
>
> domian name. will bad|03|domain|03|com work or does the first |03| need to
>
> be something else... if so how, how do i determine that?
>
>
> (without running wireshark and looking in the hex)
>
>
>
> thanks
>
> L
>
>
> ------------------------------------------------------------------------------
>
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>
> Monitor end-to-end web transactions and take corrective actions now
>
> Troubleshoot faster and improve end-user experience. Signup Now!
>
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users () lists sourceforge net
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
>
> news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!