Re: Odd Byte Tests in BLACKLIST DNS request for known malware domain rules

[Joel Esler <jesler () sourcefire com>]

Yup. I'll put it in a bug. Thanks. 

-- 
Joel Esler

On Oct 15, 2011, at 2:32 AM, Christopher Granger <chrisgrangerx () gmail com> wrote:

> Hi VRT,
>
> I noticed that the somewhat counter-intuitive way byte_test works with bitwise operators doesn't appear to be 
> documented in the Users Manual. I did find it in the referenced Snort webcast document 
> (http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf), and it accounts for the equivalence of the two 
> kinds of byte_tests in the BLACKLIST known malware domain rules: "On any byte_test, a non-zero response is a success"
>
> Could this please be added for inclusion in a future copy of the manual? 
>
> Thank you,
> -Chris
>
> On Thu, Oct 13, 2011 at 10:51 PM, Christopher Granger <chrisgrangerx () gmail com> wrote:
> Sorry for the FP :) So they're equivalent checks that the Opcode = 0 (Standard query)
>
>
> On Thu, Oct 13, 2011 at 10:26 PM, Christopher Granger <chrisgrangerx () gmail com> wrote:
> I just found this http://www.snort.org/assets/174/SnortUsersWebcast-Rules_pt2.pdf which clued me in that the four 
> byte tests done in most of the BLACKLIST DNS rules is probably intended to be equivalent to the single byte test done 
> in the TDL-4 rules, which appears to be a check for Opcodes not being set to 15?
>
> Thanks again,
> Chris 
>
>
> On Thu, Oct 13, 2011 at 10:06 PM, Christopher Granger <chrisgrangerx () gmail com> wrote:
> Hi,
>
> I noticed that for the "BLACKLIST DNS request for known malware domain" rules, some strange byte_test checks appear 
> to be made. E.g. sid:16887, 
>
> 1) byte_test:1,!&,64,2; -> test for Opcode not 8 (reserved Opcode)?
>
> 2) byte_test:1,!&,32,2; -> test for Opcode not 4 (Notify)
>
> 3) byte_test:1,!&,16,2; -> test for Opcode not 2 (Server status request)
>
> 4) byte_test:1,!&,8,2; -> test for Opcode not 1 (Inverse query)
>
> Most if not all of the "BLACKLIST DNS request for known malware domain" rules use these byte tests it appears, except 
> for the TDL-4 rules, which appear to be testing for Opcodes not set to 15 (Reserved) --> byte_test:1,!&,0x78,2;
>
> Are these the intended checks for these rules?
>
> Thanks,
> Chris Granger
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!