Re: Fwd: snort content matching rules

[Y M <snort () outlook com>]

The first rule works because you are not exactly looking for content (payload), simply the rule says match on UDP 
traffic from any IP address/port to any IP address on port 53 regardless what the packets contain, which generally may 
be characterized as DNS traffic/service.
In the second rule, you are trying to match DNS queries of type PTR or reverse lookups based on content (payload) of 
the query. I am not sure what payload you are trying to match on, but in general you should be looking at the specific 
field/location within the packet that denotes the type PTR. I cannot think of a way that you can easily always match on 
this as the queried IP address/domain will have various lengths, not to mention it is in reverse order making it not 
practical. That said, if you change your content match to "|00 0C|" it may hit, though this approach is also not 
practical and will generate lots of false positives.
Hope this helps.
From: jim.reprogle () gmail com
Date: Tue, 6 May 2014 16:53:20 -0500
To: snort-users () lists sourceforge net
Subject: [Snort-users] Fwd: snort content matching rules

I'm new to using snort, so I've been looking around on the various mailing lists, groups, archives, forums, etc. for an 
answer to what appears to be an obvious question but for the life of me I can't find one.


 Hopefully this isn't something that's been beaten to death in other threads, but here goes anyway. I've installed 
snort on a CentOS 6.4 machine and have gotten basic alerting working. However, whenever I attempt a simple rule that 
looks at the payload (content) of certain packets, that rule doesn't seem to work at all.


 For example, this rule works all day long:alert udp any any <> any 53 (msg:"DNS Query"; sid:1000001; rev:1;) However, 
if I try to make the rule match only on PTR lookups, it stops working entirely.


alert udp any any <> any 53 (msg:"DNS Query"; content:"PTR "; sid:1000001; rev:1;) I've tried rules using the rawbytes 
directive, and they don't seem to work either. Please help me out here, as I'm certain that I've done something 
painfully obvious to make these simple content rules not work.






------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!