How to use Snort to detect DNS reverse lookup queries

[Qinwen Hu <qhu009 () aucklanduni ac nz>]

Hi all,


I am a new snort use.  Currently, I am working on one project, we need use
Snort to read the pcap file and detect some packets that not send full DNS
reverse lookup message.


For example:

9.7.3.1.2.b.e.f.f.f.4.7.0.0.0.0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa (
this message is one completed reverse DNS lookup message).


But some packets look like

0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa


So, I just wondering, does snort has some features that detect the
particular patterns and count the payload size before this particular
pattern. For example, if I received the reverse DNS request,


0.0.0.0.2.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa.


I find the pattern “.ip6.arpa”, and then I can search how many bytes before
this pattern, in this example; we have 17 bytes before “.ip6.arpa”.


Does anybody have ideas? How to use snort to create this rule?


Many thanks

Regards,

Steven

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!