Re: [SPAM] Re: DNS Packets

[Joel Esler <jesler () sourcefire com>]

On Jun 3, 2013, at 3:11 PM, rmkml <rmkml () yahoo fr> wrote:

> Please remove "priority:3;"

Doesn't need to if he doesn't want to.

> and please change sid to short like 10000002.

Again, up to him and his numbering sequence.  Nothing wrong with that.

> Info: change var to ipvar.

Depends on his version of Snort.

> Please check snort cmd line with "-k none" for testing only.
>
> Please check if you need "flow:from_server,established;" on your dns rule.

Don't need established if you are doing a UDP rule.

Still doesn't solve his problems.

He's looking for someone to provide him the answer.  

Give a man the answer, and he’ll only have a temporary solution. Teach him the principles that led you to that answer, 
and he will be able to create his own solutions in the future.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!