Re: Using DNS response fields in an alert msg

["lists () packetmail net" <lists () packetmail net>]

On 01/07/2015 07:19 AM, David Longenecker wrote:
> Does anyone on this list have an example of snort parsing a dns response into
> its component name and address fields, and using these fields in the alert message?

Sadly, for this use case this is simply something that Snort is not capable of
doing.  Perhaps something like Suricata would be useful where you can couple the
alert message to the DNS Log which would then provide you with the FQDN
requested?  As of Suricata 2.0.2 "DNS TXT parsing and logging. Funded by
Emerging Threats"

Cheers,
Nathan

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!