DNS Servers

[Mikey van der Worp <mvdworp () utelisys com>]

Hi there,

Does somebody have a proper rule for DNS Server Detections.

We don't want users to run DNS Servers on their computer/router..
Im currently using the following rule, which i have created;

var DNS_SERVERS [_OUR_DNS_SERVERS_]
var HOME_NETWORK [_NETWORK_WHICH_SHOULD_NOT_USE_DNS_]

alert udp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any (msg: " IP running an DNS Server."; priority:3; 
sid:10000000002;)
alert tcp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any (msg: " IP running an DNS Server."; priority:3; 
sid:10000000003;)

The problem with these rules is that they detect every DNS Server. Even when they reply back to the "client" -> 
REFUSED. So our Threat Management System blocks the user.
Maybe somebody with any ideas?

What it needs to do is basiclly grep all the users, those who have a dns server running : and is listening to the World.

--
Mikey

Utelisys Communications B.V.
Tel: +31 (0) 20 561 8010

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!