Snort mailing list archives
DNS Servers
From: Mikey van der Worp <mvdworp () utelisys com>
Date: Fri, 17 May 2013 13:29:15 +0200
Hi there, Does somebody have a proper rule for DNS Server Detections. We don't want users to run DNS Servers on their computer/router.. Im currently using the following rule, which i have created; var DNS_SERVERS [_OUR_DNS_SERVERS_] var HOME_NETWORK [_NETWORK_WHICH_SHOULD_NOT_USE_DNS_] alert udp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any (msg: " IP running an DNS Server."; priority:3; sid:10000000002;) alert tcp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any (msg: " IP running an DNS Server."; priority:3; sid:10000000003;) The problem with these rules is that they detect every DNS Server. Even when they reply back to the "client" -> REFUSED. So our Threat Management System blocks the user. Maybe somebody with any ideas? What it needs to do is basiclly grep all the users, those who have a dns server running : and is listening to the World. -- Mikey Utelisys Communications B.V. Tel: +31 (0) 20 561 8010
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- DNS Servers Mikey van der Worp (May 17)