Re: Using DNS response fields in an alert msg

[Jason Haar <Jason_Haar () trimble com>]

On 08/01/15 02:19, David Longenecker wrote:
> It works pretty well, with one shortcoming: the alerts identify the
> offending device, but not the name request. I have to go back to the
> packet capture afterward to determine the requested domain. Does
> anyone on this list have an example of snort parsing a dns response
> into its component name and address fields, and using these fields in
> the alert message?
A similar problem occurs with the "sinkhole" rules. We push our http
traffic through content filtering proxies and snort still catches the
stuff the proxies miss, such as "BLACKLIST Connection to malware
sinkhole". It would be much more useful if that rule was "BLACKLIST
Connection to malware sinkhole on %HTTP.Header.Host" because then we
could use the hostname to compare with the proxy logs to actually
discover the client IP

(or run more snort instances in front of all the proxies - yes I've
already thought of that :-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!