Snort Rule to Alert DNS that has ACK
Question
What way can i write a rule to alert me of a DNS that has an ACK when it shouldnt? Im quite confused on this.
This is what i see in wireshark Acknowledgment Number: 0x000001a4 [should be 0x00000000 because ACK flag is not set]
But i want a rule that will alert me.
This rule below isnt working for me.
alert tcp any any -> 192.168.10.2 53 (msg:"MALFORMED DNS QUERY"; flags: A; ack:0; sid:10501;) The above wont show in my alert log. But if i remove flags: and ack: it will.
1 answers
solution1
1 2014-03-19 04:26:10
When the ACK flag is set the acknowledgment number will never be "0", so this rule will not function as is.
Without "ack:" the only check in the rule is for an ACK flag set (rule header aside). If you are running DNS over TCP you will see the ACK flag set as a normal part of the TCP conversation ie each endpoint acknowledging received TCP segments.
What you're seeing in wireshark:
Acknowledgment Number: 0x000001a4 [should be 0x00000000 because ACK flag is not set]
Might be part of the expert info telling you that the acknowledgment number is non-zero when it should be (for instance when a tcp connection is initiated the first packet should only have the SYN flag set.)
I'm really not sure what you are trying to accomplish here.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.