01-27-2004 10:17 AM - edited 03-09-2019 06:14 AM
I need to write a signature that will allow me to detect a specific modification to DNS servers. Specifically, I have a manually entered MX record that keeps 'mysteriously' disappearing. Let's suppose the the MX record is for mx.mymail.com....
How would I craft a signature to look for this information in packets destined to/from a given name server?
After I have the signature, I intend to log the subsequent traffic to decipher what is going on.
Thanks in advance!
01-27-2004 11:57 AM
Hmm, I'd be really concerned if your MX records keep disappearing first of all. I'm guessing from your message that you'd like a signature to detect someone accessing an MX record for the host 'mx.mymail.com' or domain 'mymail.com', which would be more common. To do this you'll need to use a combination of STRING.UDP and event filters.
Engine STRING.UDP
Direction ToService
ServicePorts 53
RegexString \x06[Mm][Yy][Mm][Aa][Ii][Ll]\x03[Cc][Oo][Mm]\x00\x00\x0F\x00\x01
This should detect all MX queries for email destined to the 'mymail.com' domain. To limit this to specific nameservers, create some event filters for the signature with the nameservers as the destinations. For 4.x, be sure to enable the CapturePacket parameter also.
01-28-2004 07:11 AM
If you don't mind..... could you elaborate on the Hex portions of this regex?
Thanks!
01-28-2004 07:53 AM
The \x06 and \x03 bits are the length seperators in the domain name (where the periods go) terminated by a null (\x00). The \x00\x0F means it's an MX request. The last \x00\x01 means it is an 'inet' type request.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide