Snort mailing list archives
Re: snort rule assistance/need help have to complete in short notice by next week
From: Eric Mowatt via Snort-sigs <snort-sigs () lists snort org>
Date: Sun, 30 May 2021 15:31:31 -1000
That’s perfect thanks for the .top portion. Mahalo Eric Made on Kauai
On May 30, 2021, at 10:50 AM, DFIRob <rd.seclists () gmail com> wrote: A rule do detect a request to a .top tld would be, on top of whatever you use to fingerprint a dns query, a content match, but let's say alert any any -> $DNS_SERVERS 53 ( content:"|03|top|00|"; msg:"DNS query to a .top domain"; sid:1000001 ); Other content matches would be needed to make sure all works well, but that would be functional I guess. Rob' On Sat, May 29, 2021 at 8:21 PM Eric Mowatt via Snort-sigs <snort-sigs () lists snort org> wrote:Aloha Joel Do you have an example we can follow to the homework question? Seriously would like to see it. Not necessarily to small dns requests but maybe something like the .top Donain resolutions. Thank you Mahalos Eric Made on KauaiOn May 29, 2021, at 8:18 AM, Joel Esler (jesler) via Snort-sigs <snort-sigs () lists snort org> wrote: https://snort.org/faq/can-i-have-help-with-my-homework — Sent from my iPadOn May 29, 2021, at 10:02, Real Gamerholic via Snort-sigs <snort-sigs () lists snort org> wrote: <image.png> 1. I want to catch internal DNS requests (requests smaller than 512 bytes) originating from any internal IP address. What will I put in the blanks to complete the Snort rule? Have to be as specific as possible (use "any" sparingly, if at all). alert <blank 1> 192.168.8.1/<blank 2> <blank 3> -> <blank 4> <blank 5> (msg:"DNS request detected!"; sid:1;) 2. John doe remotely compromised the Active Directory server on the network. He/she is attempting to port scan the DNS server with nmap’s -sT option to discover an SSH service. What Snort rule will detect John Doe malicious activity (this instance). Have to be as specific as possible (use "any" sparingly, if at all). alert <blank 1> <blank 2> <blank 3> -> <blank 4> <blank 5> (msg:”SSH activity detected!"; sid:2;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- snort rule assistance/need help have to complete in short notice by next week Real Gamerholic via Snort-sigs (May 29)
- Re: snort rule assistance/need help have to complete in short notice by next week Joel Esler (jesler) via Snort-sigs (May 29)
- Re: snort rule assistance/need help have to complete in short notice by next week Eric Mowatt via Snort-sigs (May 30)
- Re: snort rule assistance/need help have to complete in short notice by next week DFIRob via Snort-sigs (May 30)
- Re: snort rule assistance/need help have to complete in short notice by next week Eric Mowatt via Snort-sigs (May 30)
- Re: snort rule assistance/need help have to complete in short notice by next week Real Gamerholic via Snort-sigs (May 31)
- Re: snort rule assistance/need help have to complete in short notice by next week Eric Mowatt via Snort-sigs (May 30)
- Re: snort rule assistance/need help have to complete in short notice by next week Joel Esler (jesler) via Snort-sigs (May 29)