Snort mailing list archives
Re: Using DNS response fields in an alert msg
From: Jason Haar <Jason_Haar () trimble com>
Date: Thu, 22 Jan 2015 19:35:06 +1300
On 08/01/15 02:19, David Longenecker wrote:
It works pretty well, with one shortcoming: the alerts identify the offending device, but not the name request. I have to go back to the packet capture afterward to determine the requested domain. Does anyone on this list have an example of snort parsing a dns response into its component name and address fields, and using these fields in the alert message?
A similar problem occurs with the "sinkhole" rules. We push our http traffic through content filtering proxies and snort still catches the stuff the proxies miss, such as "BLACKLIST Connection to malware sinkhole". It would be much more useful if that rule was "BLACKLIST Connection to malware sinkhole on %HTTP.Header.Host" because then we could use the hostname to compare with the proxy logs to actually discover the client IP (or run more snort instances in front of all the proxies - yes I've already thought of that :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Using DNS response fields in an alert msg David Longenecker (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg Rodgers, Anthony (DTMB) (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg James Lay (Jan 07)
- Re: Using DNS response fields in an alert msg Mustafa Qasim (Jan 07)
- Re: Using DNS response fields in an alert msg Jason Haar (Jan 21)
- <Possible follow-ups>
- Re: Using DNS response fields in an alert msg David Longenecker (Jan 22)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 22)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)