Home page logo

snort logo Snort mailing list archives

DNS Servers
From: Mikey van der Worp <mvdworp () utelisys com>
Date: Fri, 17 May 2013 13:29:15 +0200

Hi there,

Does somebody have a proper rule for DNS Server Detections.

We don't want users to run DNS Servers on their computer/router..
Im currently using the following rule, which i have created;


alert udp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any (msg: " IP running an DNS Server."; priority:3; 
alert tcp $HOME_NETWORK,!$DNS_SERVERS 53 -> !$DNS_SERVERS any (msg: " IP running an DNS Server."; priority:3; 

The problem with these rules is that they detect every DNS Server. Even when they reply back to the "client" -> 
REFUSED. So our Threat Management System blocks the user.
Maybe somebody with any ideas?

What it needs to do is basiclly grep all the users, those who have a dns server running : and is listening to the World.


Utelisys Communications B.V.
Tel: +31 (0) 20 561 8010
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
  • DNS Servers Mikey van der Worp (May 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]