Snort mailing list archives
Re: DNS Rules
From: Luke Ager <luke.ager () icloud com>
Date: Fri, 04 Mar 2016 14:20:50 +0000
Thanks that's great. also, what if the domian has a - in it... some examples ive seen use the |0C| to denote this. If there is a - do you exlude the length and just put |0C| before that part of the domain name for instance. This.has-inside.com would be |4|this|0C|has-inside|03|.com|00| thanks Sent from my iPhone
On 4 Mar 2016, at 14:07, Shirkdog <shirkdog () gmail com> wrote: This is a part of the DNS protocol for the standard notation of names. This website explains it nicely: http://www.tcpipguide.com/free/t_DNSNameNotationandMessageCompressionTechnique.htm --- Michael ShirkOn Fri, Mar 4, 2016 at 3:08 AM, Luke Ager <luke.ager () icloud com> wrote: Hi I have wrote rules to detect DNS requests for bad domains before and usually have only been a single . in the name such as baddomain.com and when i write the rule i use baddomain|03|com or something similar. I want to detect some domians which have 2 dots in them, or subdomians such as bad.domain.com so i looked at some exisitng snort rules and noticed |03| is not always used to represent the . character. here are some examples. alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0D|litecointools|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30859; rev:1; ) alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|ltc|07|xurious|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30860; rev:1; ) alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|06|ppcoin|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30870; rev:1; ) How should I/What characters should I use to represent the . earlier in the domian name. will bad|03|domain|03|com work or does the first |03| need to be something else... if so how, how do i determine that? (without running wireshark and looking in the hex) thanks L ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- DNS Rules Luke Ager (Mar 04)
- Re: DNS Rules Shirkdog (Mar 04)
- Re: DNS Rules Luke Ager (Mar 04)
- Re: DNS Rules Shirkdog (Mar 04)
- Re: DNS Rules Luke Ager (Mar 04)
- Re: DNS Rules Shirkdog (Mar 04)