Re: DNS Packets

[Mikey van der Worp <mvdworp () utelisys com>]

Hi,

Thanks for the reply.

Does anybody  have any other solutions?
Because when i need to do this.. I need to setup an entire new environment with Virtual Servers etc etc.

Greatz,
Mikey


Van: Joel Esler [mailto:jesler () sourcefire com]
Verzonden: maandag 3 juni 2013 15:46
Aan: Mikey van der Worp
CC: snort-users () lists sourceforge net
Onderwerp: Re: [Snort-users] DNS Packets

On Jun 3, 2013, at 8:57 AM, Mikey van der Worp <mvdworp () utelisys com<mailto:mvdworp () utelisys com>> wrote:


Hi there

I've got several rules.. But non of them are working properly..

"How to detect a DNS Query Reply -> OK"..
This is something i've created a couple of days ago... Doesn't work as it should be.. This detects "all querys".. Even 
when its refused...

I would take the packet capture you have and throw it into wireshark and learn which bytes in the packet you have 
indicate a "Query Reply -> OK" response, and write a rule to detect that sequence of bytes.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!