Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT DNS inspection

    IDS/IPS
    2
    4
    291
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coxhaus
      last edited by

      I am thinking about SNORT again since I have upgraded to 24.03. Will SNORT inspect DNS packets?
      I am using Forwarding to QUAD9 so no encryption just basic DNS port 53.

      I thought I have read it somewhere but I may have read it on SNORT's site.

      I guess I have to run it on the WAN side. I was kind of thinking of using the LAN side to reduce load.
      I have an i3 6100T.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        What exactly do you want to inspect in DNS packets? What is your goal with that activity?

        Snort by itself will do nothing. You must download and/or create text rules to actually inspect traffic. For DNS, you will need to either write your own rules to accomplish your goal or you will need to see if a third-party vendor has suitable rules you can download and use.

        Here is a link to a PDF document published by Proofpoint that describes each of the 50 rule categories published by them in the Emerging Threats rules package: https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf. You may find some suitable DNS inspection rules from them.

        Here is a collection of DNS rules geared toward malicious domain lookups. These are optimized for Suricata, so they may or may not perform well in Snort: https://github.com/seanlinmt/suricata/blob/master/files/rules/emerging-dns.rules.

        C 1 Reply Last reply Reply Quote 0
        • C
          coxhaus @bmeeks
          last edited by coxhaus

          @bmeeks
          I was thinking of maybe DNS.txt if it has machine language in it. Are there rules out there?
          I don't know anything about writing rules. When I ran it in the past it was set up to download rules.
          Maybe if the DNS is intercepted and changed on routing. QUAD9 is trying to do all the work.

          Will Suricata do it more so than SNORT?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @coxhaus
            last edited by

            @coxhaus said in SNORT DNS inspection:

            @bmeeks
            I was thinking of maybe DNS.txt if it has machine language in it. Are there rules out there?
            I don't know anything about writing rules. When I ran it in the past it was set up to download rules.
            Maybe if the DNS is intercepted and changed on routing. QUAD9 is trying to do all the work.

            Will Suricata do it more so than SNORT?

            Suricata offers much more extensive logging through its EVE JSON system than does Snort. Also, you should consider that Snort on pfSense is the older 2.9.x binary version and not the newer 3.0 branch. There is currently nothing in the works to move Snort to the 3.0 branch, so whenever upstream Cisco/Talos pulls the plug on the Snort 2.9.x binary branch Snort will be dead. There have been no upstream additions or updates for the Snort 2.9.x branch for the last two years (and I don't expect any).

            I'm not sure if you can find third-party rules to examine the DNS TXT records or not. Never have researched that. Google searches will be your friend when trying to locate something.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.