Snort on WAN interface not alerting on rules for DNS queries



  • I noticed that Snort running on the WAN interface of my pfSense does not alert on rules that are for specific DNS queries.

    I first noticed this with a custom rule that wasn't working, but then tested with some of the ET rules and they are not working either. If I do a nslookup msupdate.ath.cx I don't get any alerts in Snort on my pfSense.

    I am currently running Snort on a standalone box on my LAN and it does alert. (It is looking at LAN traffic and the DNS query from my computer to pfSense DNS resolver.

    The rule below is enabled on both copies of Snort. My $HOME_NET variable in Snort on my pfSense is default, so my it includes my WAN IP address and DNS servers. The DNS server that is the destination for this traffic is in my Pass List, would this be causing the alert to not fire? (I have the DNS Resolver on my pfSense to forward DNS queries to OpenDNS)

    If that isn't it, any thoughts on what could be going on and why this rule wouldn't be alerting on Snort running on pfSense?

    alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Careto Mask DNS Lookup (msupdate.ath.cx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|msupdate|03|ath|02|cx|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:1;)