Re: Advanced DNS rules

[Curt Shaffer <cshaffer () gmail com>]

I guess another question would be does the DNS preprocessor enabled
for experimental and deprecated options catch the Z bit anyway?


On Sun, Feb 19, 2012 at 3:12 PM, Geoffrey Sanders
<gtsanders_70 () yahoo com> wrote:
> I don't think you'll be able to accomplish your use case without bit masking. Think of it as using snort as a tcpdump 
> filter.
>
> http://vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html?m=1
>
> - Geoff
>
> On Feb 19, 2012, at 1:51 PM, Curt Shaffer <cshaffer () gmail com> wrote:
>
> > I'm looking for some information on way to look for malformed DNS
> > packets. Mainly looking for large UDP requests (dsize:>512) that are
> > NOT DNSSEC related, and a rule looking for the reserved flag (Z),
> > reference here: http://www.networksorcery.com/enp/protocol/dns.htm#Z,
> > in the DNS Flags field. I'm having trouble finding decent
> > documentation. I have the following:
> >
> > Detects large packets, but want this to alert only if we are not using DNSSEC:
> >
> > alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:" Inbound Large DNS
> > Packet Detected NOT DNSSEC";  dsize:> 512; classtype:dns;  sid:xxxxx;
> > rev:1; )
> >
> > The following I thought would work for the reserved bit (Z), but I am
> > getting alerts even when the bit is not set:
> >
> > alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Reserved Bit
> > Set"; content:!"|00|"; offset:25; classtype:dns; sid:9000246; rev:1;)
> >
> > Can anyone point me at some documentation for Snort on these topics or
> > lend a hand to help see what I'm missing?
> >
> > Thanks
> >
> > Curt
> >
> > ------------------------------------------------------------------------------
> > Virtualization & Cloud Management Using Capacity Planning
> > Cloud computing makes use of virtualization - but cloud computing
> > also focuses on allowing computing to be delivered as a service.
> > http://www.accelacomm.com/jaw/sfnl/114/51521223/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!