Snort mailing list archives
Odd Byte Tests in BLACKLIST DNS request for known malware domain rules
From: Christopher Granger <chrisgrangerx () gmail com>
Date: Thu, 13 Oct 2011 22:06:13 -0400
Hi, I noticed that for the "BLACKLIST DNS request for known malware domain" rules, some strange byte_test checks appear to be made. E.g. sid:16887, 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)? 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify) 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request) 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query) Most if not all of the "BLACKLIST DNS request for known malware domain" rules use these byte tests it appears, except for the TDL-4 rules, which appear to be testing for Opcodes not set to 15 (Reserved) --> byte_test:1,!&,0x78,2; Are these the intended checks for these rules? Thanks, Chris Granger
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 14)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Joel Esler (Oct 15)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)