Re: snort rule assistance/need help have to complete in short notice by next week

[DFIRob via Snort-sigs <snort-sigs () lists snort org>]

A rule do detect a request to a .top tld would be, on top of whatever you
use to fingerprint a dns query, a content match, but let's say
alert any any -> $DNS_SERVERS 53 ( content:"|03|top|00|"; msg:"DNS query to
a .top domain"; sid:1000001 );
Other content matches would be needed to make sure all works well, but that
would be functional I guess.
Rob'

On Sat, May 29, 2021 at 8:21 PM Eric Mowatt via Snort-sigs <
snort-sigs () lists snort org> wrote:

> Aloha Joel
> Do you have an example we can follow to the homework question? Seriously
> would like to see it. Not necessarily to small dns requests but maybe
> something like the .top Donain resolutions.
>
> Thank you
> Mahalos
> Eric
>
>
> Made on Kauai
>
> On May 29, 2021, at 8:18 AM, Joel Esler (jesler) via Snort-sigs <
> snort-sigs () lists snort org> wrote:
>
> https://snort.org/faq/can-i-have-help-with-my-homework
>
>
>
> —
> Sent from my  iPad
>
> On May 29, 2021, at 10:02, Real Gamerholic via Snort-sigs <
> snort-sigs () lists snort org> wrote:
>
> 
> <image.png>
>
> 1. I want to catch internal DNS requests (requests smaller than 512 bytes)
> originating from any internal IP address. What will I put in the blanks to
> complete the Snort rule? Have to be as specific as possible (use "any"
> sparingly, if at all).
>
> alert <blank 1> 192.168.8.1/<blank 2> <blank 3> -> <blank 4> <blank 5> (msg:"DNS request detected!"; sid:1;)
>
> 2. John doe remotely compromised the Active Directory server on the
> network. He/she is attempting to port scan the DNS server with nmap’s -sT
> option to discover an SSH service. What Snort rule will detect John Doe
> malicious activity (this instance). Have to be as specific as possible (use
> "any" sparingly, if at all).
>
> alert <blank 1> <blank 2> <blank 3> -> <blank 4> <blank 5> (msg:”SSH
> activity detected!"; sid:2;)
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!