Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Odd Byte Tests in BLACKLIST DNS request for known malware domain rules

From: Christopher Granger <chrisgrangerx () gmail com>
Date: Thu, 13 Oct 2011 22:06:13 -0400
Hi,

I noticed that for the "BLACKLIST DNS request for known malware domain"
rules, some strange byte_test checks appear to be made. E.g. sid:16887,

1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?

2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)

3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)

4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)

Most if not all of the "BLACKLIST DNS request for known malware domain"
rules use these byte tests it appears, except for the TDL-4 rules, which
appear to be testing for Opcodes not set to 15 (Reserved) -->
byte_test:1,!&,0x78,2;

Are these the intended checks for these rules?

Thanks,
Chris Granger

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: