Re: Fwd: snort content matching rules

[Jim Reprogle <jim.reprogle () gmail com>]

Thank you for your reply. You are correct. I'm just trying to test my
installation and determine whether or not content matching rules are
working. This is a relatively low traffic machine, and I just want to see
if I can get reverse DNS (PTR) lookups to trigger an alert in snort. I've
currently got a local rule that looks like this (taking your advice and
looking for DNS query type 0x000c.)

alert udp any any <> any 53 (msg:"DNS PTR Query"; content:"|00 0C|";
rawbytes; sid:1000001; rev:1;)

It's not working for me. I just don't get a good feeling that my
installation is working without knowing that the content matching rules
work, too. May I ask you for another suggestion I might try? Again, I am
very grateful for the feedback and the help.



On Thu, May 8, 2014 at 11:37 AM, Y M <snort () outlook com> wrote:

> The first rule works because you are not exactly looking for content
> (payload), simply the rule says match on UDP traffic from any IP
> address/port to any IP address on port 53 regardless what the packets
> contain, which generally may be characterized as DNS traffic/service.
>
> In the second rule, you are trying to match DNS queries of type PTR or
> reverse lookups based on content (payload) of the query. I am not sure what
> payload you are trying to match on, but in general you should be looking at
> the specific field/location within the packet that denotes the type PTR. I
> cannot think of a way that you can easily always match on this as the
> queried IP address/domain will have various lengths, not to mention it is
> in reverse order making it not practical. That said, if you change your
> content match to "|00 0C|" it may hit, though this approach is also not
> practical and will generate lots of false positives.
>
> Hope this helps.
>
> ------------------------------
> From: jim.reprogle () gmail com
> Date: Tue, 6 May 2014 16:53:20 -0500
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Fwd: snort content matching rules
>
> I'm new to using snort, so I've been looking around on the various mailing
> lists, groups, archives, forums, etc. for an answer to what appears to be
> an obvious question but for the life of me I can't find one.
>
> Hopefully this isn't something that's been beaten to death in other
> threads, but here goes anyway.
>
> I've installed snort on a CentOS 6.4 machine and have gotten basic
> alerting working. However, whenever I attempt a simple rule that looks at
> the payload (content) of certain packets, that rule doesn't seem to work at
> all.
>
> For example, this rule works all day long:
> alert udp any any <> any 53 (msg:"DNS Query"; sid:1000001; rev:1;)
>
> However, if I try to make the rule match only on PTR lookups, it stops
> working entirely.
> alert udp any any <> any 53 (msg:"DNS Query"; content:"PTR "; sid:1000001;
> rev:1;)
>
> I've tried rules using the rawbytes directive, and they don't seem to work
> either. Please help me out here, as I'm certain that I've done something
> painfully obvious to make these simple content rules not work.
>
>
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find
> out: • 3 signs your SCM is hindering your productivity • Requirements for
> releasing software faster • Expert tips and advice for migrating your SCM
> now http://p.sf.net/sfu/perforce
> _______________________________________________ Snort-users mailing list
> Snort-users () lists sourceforge net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit
> http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!