Snort mailing list archives
Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules
From: Christopher Granger <chrisgrangerx () gmail com>
Date: Sat, 15 Oct 2011 02:32:40 -0400
Hi VRT, I noticed that the somewhat counter-intuitive way byte_test works with bitwise operators doesn't appear to be documented in the Users Manual. I did find it in the referenced Snort webcast document ( http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf), and it accounts for the equivalence of the two kinds of byte_tests in the BLACKLIST known malware domain rules: "On any byte_test, a non-zero response is a success" Could this please be added for inclusion in a future copy of the manual? Thank you, -Chris On Thu, Oct 13, 2011 at 10:51 PM, Christopher Granger < chrisgrangerx () gmail com> wrote:
Sorry for the FP :) So they're equivalent checks that the Opcode = 0 (Standard query) On Thu, Oct 13, 2011 at 10:26 PM, Christopher Granger < chrisgrangerx () gmail com> wrote:I just found this http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf which clued me in that the four byte tests done in most of the BLACKLIST DNS rules is probably intended to be equivalent to the single byte test done in the TDL-4 rules, which appears to be a check for Opcodes not being set to 15? Thanks again, Chris On Thu, Oct 13, 2011 at 10:06 PM, Christopher Granger < chrisgrangerx () gmail com> wrote:Hi, I noticed that for the "BLACKLIST DNS request for known malware domain" rules, some strange byte_test checks appear to be made. E.g. sid:16887, 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)? 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify) 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request) 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query) Most if not all of the "BLACKLIST DNS request for known malware domain" rules use these byte tests it appears, except for the TDL-4 rules, which appear to be testing for Opcodes not set to 15 (Reserved) --> byte_test:1,!&,0x78,2; Are these the intended checks for these rules? Thanks, Chris Granger
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 14)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Joel Esler (Oct 15)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)
- Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules Christopher Granger (Oct 13)