Snort mailing list archives

Re: snort dns Preprocessor

From: rohan dora <dora.rohan () gmail com>
Date: Tue, 10 May 2016 19:29:33 +0530

Its very nice ,appreciable of you,for so much inputs and efforts.

I am in serious dilemma as to why my code isn't functioning properly(I am
using *snort 2.9.8.0 on ubuntu 14.04 32 bit*).


*Steps I took furthure.*


*1. *I ran snort in Sniffer mode (./snort -vd) and i noticed that all DNS
queries,responses are captured by snort.

*2. *Then,I added 2 rules in local.rules(uncommented local.rules in
snort.conf) to alert, when DNS queries are sent and When DNS responses
arrive from/to my machine.

And I found that alerts are working only for DNS responses(alerting on
console).


(Command used for running snort::sudo /usr/local/bin/snort -A console -q -u
snort -g snort -c /etc/snort/snort.conf -i eth1 ,this is the command i use
all the time)



*Rules Used::*

alert udp any 53 -> $HOME_NET any (msg:"dns_from_server";GID:2;
sid:10000002; rev:002; )

alert udp $HOME_NET any -> any 53 (msg:"dns_from_client";GID:21;
sid:100000021; rev:0021; )


Thanks a ton



On Mon, May 9, 2016 at 4:34 PM, Seshaiah Erugu (serugu) <serugu () cisco com>
wrote:

Hi Rohan,



I added the following code in ProcessDNS function and replayed the
attached pcap.   I can see the count.



diff -d -u -r1.77.10.1 spp_dns.c

--- spp_dns.c   13 Apr 2016 15:55:53 -0000      1.77.10.1

+++ spp_dns.c   9 May 2016 11:02:48 -0000

@@ -1426,6 +1426,8 @@

     uint8_t known_port = 0;

     uint8_t direction = 0;

     SFSnortPacket* p;

+

+    static int REQ_COUNT = 0;

#ifdef TARGET_BASED

     int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;

#endif

@@ -1574,6 +1576,12 @@

         return;

     }



+     if ( direction == DNS_DIR_FROM_CLIENT )

+     {

+           REQ_COUNT++;

+           _dpd.logMsg("\n \n \n DNS QUERY COUNT:%d \n \n \n \n
",REQ_COUNT);

+     }

+

     if (direction == DNS_DIR_FROM_SERVER)

     {

         ParseDNSResponseMessage(p, dnsSessionData);









Thanks,

Seshaiah Erugu.



*From:* rohan dora [mailto:dora.rohan () gmail com]
*Sent:* Saturday, May 07, 2016 7:09 PM

*To:* Seshaiah Erugu (serugu) <serugu () cisco com>
*Cc:* snort-devel () lists sourceforge net; snort-users () lists sourceforge net
*Subject:* Re: [Snort-devel] snort dns Preprocessor



Thanks Seshaiah,i have checked that too,as per your suggestion.

However,it is never printing REQUEST .

Does snort capture the packets that are sent out from the same machine ,it
is running(I have only 1 interface ,eth0),if so,then is it ignoring the DNS
requests or what could be the issue?

Thanks a lot



On Sat, May 7, 2016 at 6:51 PM, Seshaiah Erugu (serugu) <serugu () cisco com>
wrote:

Hi Rohan,





Can you try with the packet direction flag ? Please print REQUEST if
packet direction is from CLIENT.





Thanks,

Seshaiah Erugu.



*From:* rohan dora [mailto:dora.rohan () gmail com]
*Sent:* Friday, May 06, 2016 4:47 PM
*To:* Seshaiah Erugu (serugu) <serugu () cisco com>
*Cc:* snort-devel () lists sourceforge net; snort-users () lists sourceforge net
*Subject:* Re: [Snort-devel] snort dns Preprocessor



Thanks Seshaiah, i have added code(Simple if condition) in ProcessDns to
track DNS query.



p = (SFSnortPacket*) packetPtr;



   if(p->src_port==53) printf("DNS Response\n");

   if(p->dst_port==53) printf("DNS Request\n");



After adding , i do make,make install and then use nslookup to issue a DNS
query.



However, i never see "DNS Request" printed on console.



So how will we track the DNS requests,because i think snort is handling
packet sniffing/capture part(user needn't look for it).



Please correct me if i am going wrong.









On Fri, May 6, 2016 at 11:16 AM, Seshaiah Erugu (serugu) <serugu () cisco com>
wrote:

Hi Rohan,



As you said, currently DNS preprocessor inspecting/tracking responses from
DNS server.

If you want to track DNS queries from client to server, you can add code
in spp_dns.c (PrcoessDNS function).





Thanks,

Seshaiah Erugu.



*From:* rohan dora [mailto:dora.rohan () gmail com]
*Sent:* Friday, May 06, 2016 10:15 AM
*To:* snort-devel () lists sourceforge net; snort-users () lists sourceforge net
*Subject:* [Snort-devel] snort dns Preprocessor



Hell0 all,

I was browsing through the code of *DNS Dynamic preprocessor*(*spp_dns.c*)
of Snort 2.9.1.

*Objective*

To count the number of DNS Queries that are made by my machine to DNS
server(may be local/Remote doesn't matter).

*Problem*

Right now, DNS Dynamic preprocessor is able to track responses that are
coming from DNS server to my machine,*however it is not able to track/see
the DNS queries that my machine makes*.

I know that DNS Preprocessor is meant for analysing the responses of
Remote server,But i added some code(Some if conditions,print statements) to
track DNS queries.

Anyone ,having ideas what could be the problem or is this the right
approach(modifying code in spp_dns.c) ?

Thanks

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort dns Preprocessor rohan dora (May 05)
- Re: snort dns Preprocessor Seshaiah Erugu (serugu) (May 05)
  - Re: snort dns Preprocessor rohan dora (May 06)
    - Re: snort dns Preprocessor Seshaiah Erugu (serugu) (May 07)
    - Re: snort dns Preprocessor rohan dora (May 07)
    - Re: snort dns Preprocessor Seshaiah Erugu (serugu) (May 09)
    - Re: snort dns Preprocessor rohan dora (May 10)