Snort mailing list archives
Re: Using DNS response fields in an alert msg
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 22 Jan 2015 16:28:04 +0000
David, An interesting idea. We’ve written this down. On Jan 22, 2015, at 10:02 AM, David Longenecker <david () 7longeneckers com<mailto:david () 7longeneckers com>> wrote:
A similar problem occurs with the "sinkhole" rules. We push our http traffic through content filtering proxies and snort still catches the stuff the proxies miss, such as "BLACKLIST Connection to malware sinkhole". It would be much more useful if that rule was "BLACKLIST Connection to malware sinkhole on %HTTP.Header.Host" because then we could use the hostname to compare with the proxy logs to actually discover the client IP
I think I've found a partial solution. I found a modified dns preprocessor and plugin that parse the entire DNS packet: http://www.geocities.ws/axonpotential/snort/18/index.html It was intended for header inspection, but in reviewing the source code it appears to also parse the data; with a little work I believe I will be able to get at the question and answer data, which leaves me with data in hand but no way to get that data into my alert message. Does the msg field of the alert module expand variables, and if so, what's the context? What variables would be available? I haven't seen any examples of a variablized alert message in the rules. -- Regards, David Longenecker Connect: Security Blog<http://dnlongen.blogspot.com/> | Security Twitter<https://www.twitter.com/dnlongen> | Awana Twitter<https://www.twitter.com/dstx_awana> | LinkedIn<https://www.linkedin.com/in/dnlongen/> GPG key: https://keybase.io/dnlongen ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Using DNS response fields in an alert msg, (continued)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg Rodgers, Anthony (DTMB) (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg James Lay (Jan 07)
- Re: Using DNS response fields in an alert msg Mustafa Qasim (Jan 07)
- Re: Using DNS response fields in an alert msg Jason Haar (Jan 21)
- Re: Using DNS response fields in an alert msg David Longenecker (Jan 22)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 22)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)