Snort Analyser
First select your Wireshark trace:
Trace name: /log/dnslookup.zip
Snort Output
Click here for the Pcap file. The Snort output is:
alert.ids: [**] [1:9000000:0] DNS Request Detected [**] [Priority: 0] 01/02-22:09:31.299017 192.168.0.20:63226 -> 192.168.0.1:53 UDP TTL:128 TOS:0x0 ID:1494 IpLen:20 DgmLen:70 Len: 42 [**] [1:9000001:0] DNS Reply Detected [**] [Priority: 0] 01/02-22:09:31.335924 192.168.0.1:53 -> 192.168.0.20:63226 UDP TTL:64 TOS:0x0 ID:1869 IpLen:20 DgmLen:120 DF Len: 92 [**] [1:9000000:0] DNS Request Detected [**] [Priority: 0] 01/02-22:09:31.364710 192.168.0.20:63227 -> 192.168.0.1:53 UDP TTL:128 TOS:0x0 ID:1495 IpLen:20 DgmLen:59 Len: 31 [**] [1:9000001:0] DNS Reply Detected [**] [Priority: 0] 01/02-22:09:31.439333 192.168.0.1:53 -> 192.168.0.20:63227 UDP TTL:64 TOS:0x0 ID:1870 IpLen:20 DgmLen:533 DF Len: 505 [**] [1:9000000:0] DNS Request Detected [**] [Priority: 0] 01/02-22:09:31.440961 192.168.0.20:63228 -> 192.168.0.1:53 UDP TTL:128 TOS:0x0 ID:1496 IpLen:20 DgmLen:59 Len: 31 [**] [1:9000001:0] DNS Reply Detected [**] [Priority: 0] 01/02-22:09:31.541626 192.168.0.1:53 -> 192.168.0.20:63228 UDP TTL:64 TOS:0x0 ID:1871 IpLen:20 DgmLen:285 DF Len: 257 |
Rules file
alert udp any any -> any 53 (msg:"DNS Request Detected";sid:9000000;) alert udp any 53 -> any any (msg:"DNS Reply Detected";sid:9000001;)
Examples
You can use Snort as a stand-alone analyser using the "-r" option. The following are the traces that can be used in Snort:
- Trace with Hydra FTP crack/Bad Login: here Test.
- Trace with Hydra Telnet crack: here Test.
- Trace with Port Scan: here Test.
- Trace with SYN Flood (DoS): here Test.
- Trace with FIN Flood (DoS): here Test.
- Trace with PDF file: here Test.
- Trace with GIF file: here Test.
- Trace with PNG file: here Test.
- Trace with email attachments (MIME): here Test.
- Trace with email addresses: here Test.
- Trace with credit card details: here Test.
- Trace with DNS: here Test.
- Trace with Ping sweep: here Test.
- Trace with SNMP: here Test.
- Trace with ARP Spoof: here Test.
- Trace with Heartbleed: here Test.
- Teardrop DoS: here Test.
- Bittorrent: here Test.