Search code examples
dnssnort

Immersivelabs Snort Rules: EP.2 - DNS - Create a Snort Rule to detect DNS requests to 'interbanx'

I'm currently working on the Snort Rules EP.2 lab in immersivelabs. I don't exactly know the entire setup since I'm new to immersivelabs in general and to Snort Rules. But essentially this is a lab coming with a Snort Rule Editor, which is part of the lab and checks if my snort rule correctly takes the packets from a pcap file and if so, gives me a token I can use to answer the lab questions (Q1-Q5).

I have completed all the questions except for Q4. I managed to get the tokens for all the previous questions, but I'm stuck on this one.

For Q3 (which asks to create a rule to detect DNS requests to 'icanhazip'), I used the following rule:

alert udp any any -> any 53 (msg:"alert"; content:"|09|icanhazip|03|com|00|"; sid:5000010;)

This worked perfectly. So, for Q4 (where the task is to detect DNS requests to 'interbanx'), I thought I could simply adjust the domain in the content field, like this:

alert udp any any -> any 53 (msg:"alert"; content:"|09|interbanx|03|com|00|"; sid:5000011;)

However, this doesn't seem to work, and I keep getting the message: "Your rule did not match any packets in the pcap for question 4."

The domain length is the same for both *icanhazip *and interbanx, so I expected just changing the domain name would work. Is there some difference between the DNS queries for these two domains that I'm missing?

Can I inspect the pcap file in Wireshark to see what’s different and adjust my rule accordingly? Any guidance would be really appreciated! Asking me questions about the setup might help me as well since I might find out something I didn't know yet and solve the problem that way. Thank you in advance!

What I have tried so far:

alert udp any any -> any 53 (msg:"alert"; content:"|09|interbanx|03|com|00|"; sid:5000011; nocase;)

screenshot from immersivelabs showing snort rule editor with rule for lab question 4

alert udp any any -> any 53 (msg:"alert"; content:"|09 69 6e 74 65 72 62 61 6e 78 03 63 6f 6d 00|"; sid:5000011; nocase;)

(I started to get desperate):

alert udp any any <> any 53 (msg:"alert"; content:"|09|interbanx|03|com|00|"; sid:5000011; nocase;)

alert tcp any any -> any 53 (msg:"alert"; content:"|09|interbanx|03|com|00|"; sid:5000011; nocase;)

alert ip any any -> any 53 (msg:"alert"; content:"|09|interbanx|03|com|00|"; sid:5000011; nocase;)

alert ip any any <> any 53 (msg:"alert"; content:"|09|interbanx|03|com|00|"; sid:5000011; nocase;)
Solution

  • I was able to solve it.

    Looking at the .pcap and the DNS requests made I saw that the URL of interbanx isn't interbanx.com, its interbanx.co.id

    enter image description here

    Using that information we can adjust the snort rule to:

    alert udp any any -> any 53 (msg:"alert"; content: "|09|interbanx|02|co|02|id|00|"; sid:1000001;)

    Which works.