Content scanning

["Heinrich vanRiel" <heinrich.vanriel () us didata com>]

Greetings,
 
Since sco is down at this point, I want to add a rule at this point to
do payload scanning for every single occurrence of www.sco.com
<http://www.sco.com/> .
 
I have added my rules, any host to any port content set to www.sco.com
<http://www.sco.com/>  and nocase, for IP TCP and UDP.
 
My concern is that if I do a nslookup on www.sco.com
<http://www.sco.com/>  from a device (not the DNS server) my IDS sensors
does not alert me that www.sco.com <http://www.sco.com/>  traveled the
network,
however if I do a tcpdump I can see at least 2 packets containing
www.sco.com <http://www.sco.com/> . (I stop snort and do the tcpdump
from the sensor)
 
I just want to make sure no infected desktop is overlooked, since I find
it a bit hard to believe that out of 600+ desktops I have not seen any
attempts to reach SCO.
 
 
Output of tcpdump:  
 
11:08:56.231023 dns.mydomain.local > desktop.mydomain.local.2612:  16
1/0/0 A www.sco.com (45)
11:08:56.231030 dns.mydomain.local > desktop.mydomain.local.2612:  16
1/0/0 A www.sco.com (45)
 
Sensor info:  
 
FreeBSD 4.9 Stable
Snort 2.0.5
Dell PowerEdge 6400 Xeon
 
Thanks
 
HvR