Snort mailing list archives
Re: DNS Rules
From: Shirkdog <shirkdog () gmail com>
Date: Fri, 4 Mar 2016 09:07:57 -0500
This is a part of the DNS protocol for the standard notation of names. This website explains it nicely: http://www.tcpipguide.com/free/t_DNSNameNotationandMessageCompressionTechnique.htm --- Michael Shirk On Fri, Mar 4, 2016 at 3:08 AM, Luke Ager <luke.ager () icloud com> wrote:
Hi I have wrote rules to detect DNS requests for bad domains before and
usually have only been a single . in the name such as baddomain.com and when
i write the rule i use baddomain|03|com or something similar.
I want to detect some domians which have 2 dots in them, or subdomians such
as bad.domain.com so i looked at some exisitng snort rules and noticed |03|
is not always used to represent the . character.
here are some examples.
alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
bitcoin domain dnsseed.litecointools.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0D|litecointools|03|com|00|";
fast_pattern:only; metadata:service dns; classtype:policy-violation;
sid:30859; rev:1; )
alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
bitcoin domain dnsseed.ltc.xurious.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|ltc|07|xurious|03|com|00|";
fast_pattern:only; metadata:service dns; classtype:policy-violation;
sid:30860; rev:1; )
alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known
bitcoin domain seed.ppcoin.net"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|04|seed|06|ppcoin|03|net|00|"; fast_pattern:only; metadata:service
dns; classtype:policy-violation; sid:30870; rev:1; )
How should I/What characters should I use to represent the . earlier in the
domian name. will bad|03|domain|03|com work or does the first |03| need to
be something else... if so how, how do i determine that?
(without running wireshark and looking in the hex)
thanks
L
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort
news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- DNS Rules Luke Ager (Mar 04)
- Re: DNS Rules Shirkdog (Mar 04)
- Re: DNS Rules Luke Ager (Mar 04)
- Re: DNS Rules Shirkdog (Mar 04)
- Re: DNS Rules Luke Ager (Mar 04)
- Re: DNS Rules Shirkdog (Mar 04)