snort Preprocessor code issue

0 投票
最新提问 用户: (120 分)

I was browsing through the code of DNS Dynamic preprocessor(spp_dns.c) of Snort 2.9.x.

Objective

To count the number of DNS Queries that are made by my machine to DNS server(may be local/Remote doesn't matter).

Problem

Right now, DNS Dynamic preprocessor is able to track responses that are coming from DNS server to my machine,however it is not able to track/see the DNS queries that my machine makes.

Steps Taken

I have added some code in ProcessDNS() function in spp_dns.c.

if(p->src_port==53) printf("DNS Response\n");

if(p->dst_port==53) printf("DNS Request\n");

After adding , i do make,make install and then use nslookup to issue a DNS query from the same machine running snort.

However, i never see "DNS Request" printed on console,but only for DNS responses,but also if (direction == DNS_DIR_FROM_CLIENT) is never satisfied.

I also added 2 rules in local.rules to generate alert when DNS Queries are sent from client to server,DNS Responses comes back from server.

Alerts are never generated for DNS Queries,but only for DNS responses.

I have checked that there is some the above procedure successfully works in other systems,but i am in total dilemma what could be the problem in my system. I have shared the code snippet below.

    p = (SFSnortPacket*) packetPtr;
        if(p){
        count++;
 printf("%d packets arrived\n",count);
}

    if(p->src_port==53) printf("DNS Response\n");
    if(p->dst_port==53) printf("DNS Reqqq\n");

 if (direction == DNS_DIR_FROM_CLIENT)
    {

        printf("DNS packet from client\n");
    }


 if (direction == DNS_DIR_FROM_CLIENT)
    {
        printf("DNS packet from client\n");
    }

It would be great if someone could point the issue. Thanks

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...