[Oisf-users] Turn off flow tracking?

Jason Ish lists at unx.ca
Fri Jan 6 22:07:32 UTC 2017


On Fri, Jan 6, 2017 at 2:17 PM, Michael J. Sheldon <msheldon at godaddy.com>
wrote:

> I have definitely considered converting the rule to be udp packet rather
> than dns
>
> But:
> drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config
> sourcenetwork filter test"; flow:to_server; pcre:"/example.com/i";
> nocase; sid:3110039;)
>
> Will not work, since the domain name is encoded. Probably need to be
> something like:
> drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config
> sourcenetwork filter test"; flow:to_server; pcre:"/\07example\03com/i";
> nocase; sid:3110039;)
>
> I had been looking at:
> drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config
> sourcenetwork filter test"; flow:to_server;content:"|07|example|03|com";
> nocase; sid:3110039;)
>

Thats why I was using the pcre, the "." should match any byte, but of
course its not as precise or performant as matching on the encoded hostname.


>
> At this point, it begs the question, do I even need to turn the dns
> protocol filter on?
>

No, not really.  I was hoping that you could still write the rule as "drop
dns ..." with detection on, but that appears to not work with
"detection-only" which is something else I'm going to look at real soon now.

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170106/3f377a9e/attachment-0002.html>


More information about the Oisf-users mailing list