From: Mikey van der Worp (mvdworputelisys.com)
Date: Mon Jun 03 2013 - 08:53:03 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Thanks for the reply.

Does anybody have any other solutions?
Because when i need to do this.. I need to setup an entire new environment with Virtual Servers etc etc.

Greatz,
Mikey

Van: Joel Esler [mailto:jeslersourcefire.com]
Verzonden: maandag 3 juni 2013 15:46
Aan: Mikey van der Worp
CC: snort-userslists.sourceforge.net
Onderwerp: Re: [Snort-users] DNS Packets

On Jun 3, 2013, at 8:57 AM, Mikey van der Worp <mvdworputelisys.com<mailto:mvdworputelisys.com>> wrote:

Hi there

I've got several rules.. But non of them are working properly..

"How to detect a DNS Query Reply -> OK"..
This is something i've created a couple of days ago... Doesn't work as it should be.. This detects "all querys".. Even when its refused...

I would take the packet capture you have and throw it into wireshark and learn which bytes in the packet you have indicate a "Query Reply -> OK" response, and write a rule to detect that sequence of bytes.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]