Snort mailing list archives
Content scanning
From: "Heinrich vanRiel" <heinrich.vanriel () us didata com>
Date: Sun, 1 Feb 2004 11:14:00 -0500
Greetings, Since sco is down at this point, I want to add a rule at this point to do payload scanning for every single occurrence of www.sco.com <http://www.sco.com/> . I have added my rules, any host to any port content set to www.sco.com <http://www.sco.com/> and nocase, for IP TCP and UDP. My concern is that if I do a nslookup on www.sco.com <http://www.sco.com/> from a device (not the DNS server) my IDS sensors does not alert me that www.sco.com <http://www.sco.com/> traveled the network, however if I do a tcpdump I can see at least 2 packets containing www.sco.com <http://www.sco.com/> . (I stop snort and do the tcpdump from the sensor) I just want to make sure no infected desktop is overlooked, since I find it a bit hard to believe that out of 600+ desktops I have not seen any attempts to reach SCO. Output of tcpdump: 11:08:56.231023 dns.mydomain.local > desktop.mydomain.local.2612: 16 1/0/0 A www.sco.com (45) 11:08:56.231030 dns.mydomain.local > desktop.mydomain.local.2612: 16 1/0/0 A www.sco.com (45) Sensor info: FreeBSD 4.9 Stable Snort 2.0.5 Dell PowerEdge 6400 Xeon Thanks HvR
Current thread:
- Content scanning Heinrich vanRiel (Feb 01)