snort rule for DNS query

Greetings,
I am trying to configure a rule in the local.rules file to capture DNS queries for malwaresite.ru. The following rule is not working

alert udp any any <> any 53 (msg:"DNS request of bad URL"; content:"malwaresite.ru"; sid:1232313;)

Thank you.
centemAsked:
Who is Participating?
 
Rich RumbleSecurity SamuraiCommented:
Well it "is valid" but not for UDP really, and you shouldn't need a bidirectional rule like that for DNS. Since your doing "any any -> any 53" snort has no idea what direction to use already, so it's almost implied bidirectional, but still isn't technically.
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
The <> is incorrect syntax, it should be -> only, this "arrow" always faces right and will not work in any other direction. It actually does nothing to affect the rule, it's just part of the syntax.
-rich
0
 
centemAuthor Commented:
Thanks richrumble. I seem to catch all DNS query request. I noticed during my internet searches the inclusion of a long hex representation. Do I need to reqresent the domain in hex in order for it to only fire off for that specific domain?
0
 
Rich RumbleSecurity SamuraiCommented:
No, hex is slightly faster technically to match rules, but it's not necessary. Also note that making your string case insensitive with the "nocase" switch does not work with hex. So Example.com would not be matched if you used the hex of "example.com" Hex is how the packets are seen by the OS/kernel, converting them to "ascii" or strings is trivial for snort, but not necessary.
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.