Snort mailing list archives
Re: snort dns Preprocessor
From: "Seshaiah Erugu (serugu)" <serugu () cisco com>
Date: Mon, 9 May 2016 11:04:30 +0000
Hi Rohan, I added the following code in ProcessDNS function and replayed the attached pcap. I can see the count. diff -d -u -r1.77.10.1 spp_dns.c --- spp_dns.c 13 Apr 2016 15:55:53 -0000 1.77.10.1 +++ spp_dns.c 9 May 2016 11:02:48 -0000 @@ -1426,6 +1426,8 @@ uint8_t known_port = 0; uint8_t direction = 0; SFSnortPacket* p; + + static int REQ_COUNT = 0; #ifdef TARGET_BASED int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; #endif @@ -1574,6 +1576,12 @@ return; } + if ( direction == DNS_DIR_FROM_CLIENT ) + { + REQ_COUNT++; + _dpd.logMsg("\n \n \n DNS QUERY COUNT:%d \n \n \n \n ",REQ_COUNT); + } + if (direction == DNS_DIR_FROM_SERVER) { ParseDNSResponseMessage(p, dnsSessionData); Thanks, Seshaiah Erugu. From: rohan dora [mailto:dora.rohan () gmail com] Sent: Saturday, May 07, 2016 7:09 PM To: Seshaiah Erugu (serugu) <serugu () cisco com> Cc: snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: [Snort-devel] snort dns Preprocessor Thanks Seshaiah,i have checked that too,as per your suggestion. However,it is never printing REQUEST . Does snort capture the packets that are sent out from the same machine ,it is running(I have only 1 interface ,eth0),if so,then is it ignoring the DNS requests or what could be the issue? Thanks a lot On Sat, May 7, 2016 at 6:51 PM, Seshaiah Erugu (serugu) <serugu () cisco com<mailto:serugu () cisco com>> wrote: Hi Rohan, Can you try with the packet direction flag ? Please print REQUEST if packet direction is from CLIENT. Thanks, Seshaiah Erugu. From: rohan dora [mailto:dora.rohan () gmail com<mailto:dora.rohan () gmail com>] Sent: Friday, May 06, 2016 4:47 PM To: Seshaiah Erugu (serugu) <serugu () cisco com<mailto:serugu () cisco com>> Cc: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-devel] snort dns Preprocessor Thanks Seshaiah, i have added code(Simple if condition) in ProcessDns to track DNS query. p = (SFSnortPacket*) packetPtr; if(p->src_port==53) printf("DNS Response\n"); if(p->dst_port==53) printf("DNS Request\n"); After adding , i do make,make install and then use nslookup to issue a DNS query. However, i never see "DNS Request" printed on console. So how will we track the DNS requests,because i think snort is handling packet sniffing/capture part(user needn't look for it). Please correct me if i am going wrong. On Fri, May 6, 2016 at 11:16 AM, Seshaiah Erugu (serugu) <serugu () cisco com<mailto:serugu () cisco com>> wrote: Hi Rohan, As you said, currently DNS preprocessor inspecting/tracking responses from DNS server. If you want to track DNS queries from client to server, you can add code in spp_dns.c (PrcoessDNS function). Thanks, Seshaiah Erugu. From: rohan dora [mailto:dora.rohan () gmail com<mailto:dora.rohan () gmail com>] Sent: Friday, May 06, 2016 10:15 AM To: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-devel] snort dns Preprocessor Hell0 all, I was browsing through the code of DNS Dynamic preprocessor(spp_dns.c) of Snort 2.9.1. Objective To count the number of DNS Queries that are made by my machine to DNS server(may be local/Remote doesn't matter). Problem Right now, DNS Dynamic preprocessor is able to track responses that are coming from DNS server to my machine,however it is not able to track/see the DNS queries that my machine makes. I know that DNS Preprocessor is meant for analysing the responses of Remote server,But i added some code(Some if conditions,print statements) to track DNS queries. Anyone ,having ideas what could be the problem or is this the right approach(modifying code in spp_dns.c) ? Thanks
Attachment:
chopped.dnsattack.pcap
Description: chopped.dnsattack.pcap
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort dns Preprocessor rohan dora (May 05)
- Re: snort dns Preprocessor Seshaiah Erugu (serugu) (May 05)
- Re: snort dns Preprocessor rohan dora (May 06)
- Re: snort dns Preprocessor Seshaiah Erugu (serugu) (May 07)
- Re: snort dns Preprocessor rohan dora (May 07)
- Re: snort dns Preprocessor Seshaiah Erugu (serugu) (May 09)
- Re: snort dns Preprocessor rohan dora (May 10)
- Re: snort dns Preprocessor rohan dora (May 06)
- Re: snort dns Preprocessor Seshaiah Erugu (serugu) (May 05)