Using DNS response fields in an alert msg

[David Longenecker <david () 7longeneckers com>]

Hi snort folks, I'm looking for a bit of education. Forgive me if this is
not the right forum for questions like this.

Over the holiday break, I spent some time with snort and opendns,
inspecting DNS responses to detect potential malicious activity on the
local network. The idea was, opendns does a good job of *blocking*
malicious content by responding with a warning landing page instead of the
actual address; I can use that to *alert* when a blocked page is requested.
I look for several known landing pages in the dns answer record, and
trigger an alert.

It works pretty well, with one shortcoming: the alerts identify the
offending device, but not the name request. I have to go back to the packet
capture afterward to determine the requested domain. Does anyone on this
list have an example of snort parsing a dns response into its component
name and address fields, and using these fields in the alert message?

Project description: http://dnlongen.blogspot.com/snort-dns
Just the rules: https://github.com/dnlongen/snort-dns

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!