Re: DNS Rules

[Luke Ager <luke.ager () icloud com>]

Thanks that's great. 

also, what if the domian has a - in it...

some examples ive seen use the |0C| to denote this. 

If there is a - do you exlude the length and just put |0C| before that part of the domain name for instance. 

This.has-inside.com

would be

|4|this|0C|has-inside|03|.com|00|

thanks
Sent from my iPhone

> On 4 Mar 2016, at 14:07, Shirkdog <shirkdog () gmail com> wrote:
>
> This is a part of the DNS protocol for the standard notation of names.
> This website explains it nicely:
>
> http://www.tcpipguide.com/free/t_DNSNameNotationandMessageCompressionTechnique.htm
>
>
> ---
> Michael Shirk
>
>
> > On Fri, Mar 4, 2016 at 3:08 AM, Luke Ager <luke.ager () icloud com> wrote:
> > Hi I have wrote rules to detect DNS requests for bad domains before and
> > usually have only been a single . in the name such as baddomain.com and when
> > i write the rule i use baddomain|03|com or something similar.
> >
> > I want to detect some domians which have 2 dots in them, or subdomians such
> > as bad.domain.com so i looked at some exisitng snort rules and noticed |03|
> > is not always used to represent the . character.
> >
> > here are some examples.
> >
> > alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
> > bitcoin domain dnsseed.litecointools.com"; flow:to_server;
> > byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0D|litecointools|03|com|00|";
> > fast_pattern:only; metadata:service dns; classtype:policy-violation;
> > sid:30859; rev:1; )
> >
> >    alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
> > bitcoin domain dnsseed.ltc.xurious.com"; flow:to_server;
> > byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|ltc|07|xurious|03|com|00|";
> > fast_pattern:only; metadata:service dns; classtype:policy-violation;
> > sid:30860; rev:1; )
> >
> >    alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
> > bitcoin domain seed.ppcoin.net"; flow:to_server; byte_test:1,!&,0xF8,2;
> > content:"|04|seed|06|ppcoin|03|net|00|"; fast_pattern:only; metadata:service
> > dns; classtype:policy-violation; sid:30870; rev:1; )
> >
> > How should I/What characters should I use to represent the . earlier in the
> > domian name. will bad|03|domain|03|com work or does the first |03| need to
> > be something else... if so how, how do i determine that?
> >
> > (without running wireshark and looking in the hex)
> >
> >
> > thanks
> > L
> >
> > ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!