1

This is likely a beginner's misunderstanding.

System is: Ubuntu AMD64, 14.04.03 LTS; installed Snort with default configuration.

I am writing a Snort rule that deals with DNS responses. In order to make sure everything was working I wrote the following rule:

alert udp any any -> any any (msg:"UDP"; sid:10000001; rev:001;)

I'm then using the -r file.pcap with Snort to test my rule.

My pcap file has 4 packets in it:

  1. DNS request for an A record.
  2. DNS response for A record.
  3. DNS request for TXT record.
  4. DNS response for TXT record.

Both client and server are on the same /24 network. Default server-side DNS port (53) is used.

When I run Snort against my pcap it alerts on the requests, but not the responses. I even tried running Snort 'live' and using dig to generate the DNS requests. Same behaviour: alerts on requests, but not responses.

$ snort -A console -q -u snort -g snort -c snort.conf -r dns.pcap 
11/05-19:13:00.754320  [**] [1:10000001:1] UDP [**] [Priority: 0] {UDP} 192.168.188.11:35977 -> 192.168.188.10:53
11/05-19:13:15.734932  [**] [1:10000001:1] UDP [**] [Priority: 0] {UDP} 192.168.188.11:50795 -> 192.168.188.10:53

Why doesn't Snort alert on the responses?

Bridgey
  • 123
  • 5

1 Answers1

1

As per this question, adding -k none, which disables checksum validation, results in all four packets being alerted upon.

As a pcap file is being read, I don't quite understand why the checksum can't be calculated, but I guess that's actually a different question.

Community
  • 1
Bridgey
  • 123
  • 5