Snort mailing list archives
Re: Fwd: snort content matching rules
From: Y M <snort () outlook com>
Date: Thu, 8 May 2014 16:37:34 +0000
The first rule works because you are not exactly looking for content (payload), simply the rule says match on UDP traffic from any IP address/port to any IP address on port 53 regardless what the packets contain, which generally may be characterized as DNS traffic/service. In the second rule, you are trying to match DNS queries of type PTR or reverse lookups based on content (payload) of the query. I am not sure what payload you are trying to match on, but in general you should be looking at the specific field/location within the packet that denotes the type PTR. I cannot think of a way that you can easily always match on this as the queried IP address/domain will have various lengths, not to mention it is in reverse order making it not practical. That said, if you change your content match to "|00 0C|" it may hit, though this approach is also not practical and will generate lots of false positives. Hope this helps. From: jim.reprogle () gmail com Date: Tue, 6 May 2014 16:53:20 -0500 To: snort-users () lists sourceforge net Subject: [Snort-users] Fwd: snort content matching rules I'm new to using snort, so I've been looking around on the various mailing lists, groups, archives, forums, etc. for an answer to what appears to be an obvious question but for the life of me I can't find one. Hopefully this isn't something that's been beaten to death in other threads, but here goes anyway. I've installed snort on a CentOS 6.4 machine and have gotten basic alerting working. However, whenever I attempt a simple rule that looks at the payload (content) of certain packets, that rule doesn't seem to work at all. For example, this rule works all day long:alert udp any any <> any 53 (msg:"DNS Query"; sid:1000001; rev:1;) However, if I try to make the rule match only on PTR lookups, it stops working entirely. alert udp any any <> any 53 (msg:"DNS Query"; content:"PTR "; sid:1000001; rev:1;) I've tried rules using the rawbytes directive, and they don't seem to work either. Please help me out here, as I'm certain that I've done something painfully obvious to make these simple content rules not work. ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: snort content matching rules Jim Reprogle (May 06)
- Re: Fwd: snort content matching rules Y M (May 08)
- Re: Fwd: snort content matching rules Jim Reprogle (May 08)
- Re: Fwd: snort content matching rules Jim Reprogle (May 08)
- Re: Fwd: snort content matching rules Jim Reprogle (May 08)
- Re: Fwd: snort content matching rules Y M (May 08)