Snort mailing list archives
How to use Snort to detect DNS reverse lookup queries
From: Qinwen Hu <qhu009 () aucklanduni ac nz>
Date: Wed, 27 Nov 2013 11:03:38 +1300
Hi all, I am a new snort use. Currently, I am working on one project, we need use Snort to read the pcap file and detect some packets that not send full DNS reverse lookup message. For example: 9.7.3.1.2.b.e.f.f.f.4.7.0.0.0.0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa ( this message is one completed reverse DNS lookup message). But some packets look like 0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa So, I just wondering, does snort has some features that detect the particular patterns and count the payload size before this particular pattern. For example, if I received the reverse DNS request, 0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa. I find the pattern “.ip6.arpa”, and then I can search how many bytes before this pattern, in this example; we have 17 bytes before “.ip6.arpa”. Does anybody have ideas? How to use snort to create this rule? Many thanks Regards, Steven
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to use Snort to detect DNS reverse lookup queries Qinwen Hu (Nov 26)