Re: DNS Packets

[Michal Purzynski <michal () rsbac org>]

On 6/3/13 2:57 PM, Mikey van der Worp wrote:
> Hi there
>
> I've got several rules.. But non of them are working properly..
>
> "How to detect a DNS Query Reply -> OK"..
>
> This is something i've created a couple of days ago... Doesn't work as 
> it should be.. This detects "all querys".. Even when its refused...
*Have you born with it, or had an accident?*
> ****
>
> DEBUG DATA ===
>
> 06/03-14:17:03.732308 50:3D:E5:AF:F1:80 -> 00:00:5E:00:01:50 
> type:0x800 len:0x149
>
> 127.0.0.1:53 -> 145.100.**.**:32559 UDP TTL:63 TOS:0x0 ID:34600 
> IpLen:20 DgmLen:315 Len: 287
>
> 23 EF 81 80 00 01 00 05 00 04 00 04 03 77 77 77  #............www
>
> 10 67 6F 6F 67 6C 65 61 64 73 65 72 76 69 63 65  .googleadservice
>
> 73 03 63 6F 6D 00 00 01 00 01 C0 0C 00 05 00 01  s.com...........
>
> 00 00 00 2B 00 1A 06 70 61 67 65 61 64 01 6C 0B  ...+...pagead.l.
>
> 64 6F 75 62 6C 65 63 6C 69 63 6B 03 6E 65 74 00  doubleclick.net.
>
> C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9B  .6.......,..J}..
>
> C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9A  .6.......,..J}..
>
> C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9D  .6.......,..J}..
>
> C0 36 00 01 00 01 00 00 01 2C 00 04 4A 7D 84 9C  .6.......,..J}..
>
> C0 3D 00 02 00 01 00 05 40 13 00 0D 03 6E 73 32  .=......@....ns2
>
> 06 67 6F 6F 67 6C 65 C0 21 C0 3D 00 02 00 01 00  .google.!.=.....
>
> 05 40 13 00 06 03 6E 73 34 C0 A0 C0 3D 00 02 00  .@....ns4...=...
>
> 01 00 05 40 13 00 06 03 6E 73 31 C0 A0 C0 3D 00  ...@....ns1...=.
>
> 02 00 01 00 05 40 13 00 06 03 6E 73 33 C0 A0 C0  .....@....ns3...
>
> C7 00 01 00 01 00 02 9D 11 00 04 D8 EF 20 0A C0  ............. ..
>
> 9C 00 01 00 01 00 02 9D 11 00 04 D8 EF 22 0A C0  ............."..
>
> D9 00 01 00 01 00 02 9D 11 00 04 D8 EF 24 0A C0  .............$..
>
> B5 00 01 00 01 00 02 9D 11 00 04 D8 EF 26 0A     .............&.
>
> Sincerely yours,
>
> Mikey
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!