Snort mailing list archives
Re: Alert on web traffic instead of IP Address?
From: Matt Olney <molney () sourcefire com>
Date: Wed, 12 Aug 2009 21:08:32 -0400
If you have a list of domains you know to be bad, you could alert on the DNS lookup of those names. Just make sure you check the DNS protocol. I don't have my notes here, but to block bad.com, I believe it would be something like: alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"Bad host name detected"; flow: to_server; content:"|03|bad|03|com"; classtype: bad-tarffic; sid: 10000000;) Or something. Unfortunately you need a separate rule for each domain, the good news is that the format for DNS requests makes for a fairly good fast-pattern match. I think, haven't tested it, your mileage may very etc, ad nauseum Matt On Wed, Aug 12, 2009 at 8:56 PM, Jason Haar<Jason.Haar () trimble co nz> wrote:
On 08/12/2009 02:40 AM, Joel Esler wrote:Correct, it is *not* possible to put hostnames in a rule. It's probably better to write a rule on the content of the traffic than to try and track an IP.More specifically, it would be *insane* for an IDS to do on-the-fly DNS lookups. Don't forget, if you have a rule that says "trigger an alert if someone connects to this.dns.host and then...", then the IDS would have to do DNS lookups for EVERY packet - just in case it matched. Also, the IDS only sees the IP, so it could only do PTR lookups - which may not match the A record (certainly true in your case of fast flux) Same principle applies to firewalls. Firewalls that support DNS only means they do the DNS lookup ONCE at boot-time, then they match on IP address thereafter. If you can get your IDS in front of your DNS servers you may have a shot. You could write rules to trigger when anyone did the actual DNS lookup of such hosts... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert on web traffic instead of IP Address? Isherwood, Jeffrey - AES (Aug 11)
- Re: Alert on web traffic instead of IP Address? Joel Esler (Aug 11)
- Re: Alert on web traffic instead of IP Address? Jason Haar (Aug 12)
- Re: Alert on web traffic instead of IP Address? Matt Olney (Aug 12)
- Re: Alert on web traffic instead of IP Address? CunningPike (Aug 13)
- Re: Alert on web traffic instead of IP Address? Jason Haar (Aug 12)
- Re: Alert on web traffic instead of IP Address? Joel Esler (Aug 11)
- Re: Alert on web traffic instead of IP Address? Frank Knobbe (Aug 14)