Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules

[Christopher Granger <chrisgrangerx () gmail com>]

I just found this
http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf which clued
me in that the four byte tests done in most of the BLACKLIST DNS rules is
probably intended to be equivalent to the single byte test done in the TDL-4
rules, which appears to be a check for Opcodes not being set to 15?

Thanks again,
Chris

On Thu, Oct 13, 2011 at 10:06 PM, Christopher Granger <
chrisgrangerx () gmail com> wrote:

> Hi,
>
> I noticed that for the "BLACKLIST DNS request for known malware domain"
> rules, some strange byte_test checks appear to be made. E.g. sid:16887,
>
> 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?
>
> 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)
>
> 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)
>
> 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)
>
> Most if not all of the "BLACKLIST DNS request for known malware domain"
> rules use these byte tests it appears, except for the TDL-4 rules, which
> appear to be testing for Opcodes not set to 15 (Reserved) -->
> byte_test:1,!&,0x78,2;
>
> Are these the intended checks for these rules?
>
> Thanks,
> Chris Granger
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!