Re: Using DNS response fields in an alert msg

[Mustafa Qasim <alajal () gmail com>]

my 2 cents

You don't need to write a rule for the HTTP and trace back to DNS query log.

If you step back from the HTTP transaction then you can get it done by
writing a simple rule for DNS. OpenDNS blocks pages by returning it's own
IP which leads the user to their block page. I just verified the IP i.e.
67.215.65.130.

You just need to write a rule that checks for this IP in DNS transactions.
It will trigger all those DNS replies having this IP. DNS reply packet also
holds the requested domain against which the IP is returned. Here you will
get logs of all those domains which were blocked by OpenDNS and who
requested them.

P.S. Just check if they have multiple IPs to write rules for all of them.


------
*Mustafa Qasim*
GREM, GCFE



On Wed, Jan 7, 2015 at 6:19 PM, David Longenecker <david () 7longeneckers com>
wrote:

> Hi snort folks, I'm looking for a bit of education. Forgive me if this is
> not the right forum for questions like this.
>
> Over the holiday break, I spent some time with snort and opendns,
> inspecting DNS responses to detect potential malicious activity on the
> local network. The idea was, opendns does a good job of *blocking*
> malicious content by responding with a warning landing page instead of the
> actual address; I can use that to *alert* when a blocked page is requested.
> I look for several known landing pages in the dns answer record, and
> trigger an alert.
>
> It works pretty well, with one shortcoming: the alerts identify the
> offending device, but not the name request. I have to go back to the packet
> capture afterward to determine the requested domain. Does anyone on this
> list have an example of snort parsing a dns response into its component
> name and address fields, and using these fields in the alert message?
>
> Project description: http://dnlongen.blogspot.com/snort-dns
> Just the rules: https://github.com/dnlongen/snort-dns
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!