Forum Discussion
Help with Snort Rules: Fake Tech Support Popup
Hmm, it could be that you need to tell snort to search for "content:site.topwebsite4.xyz" rather than just a "msg:"?
Community ManagerHmm, it could be that you need to tell snort to search for "content:site.topwebsite4.xyz" rather than just a "msg:"?
'content: ...' requires me to go into the pcap file and find the dns query, I did that and used the hex I found there to try and search for content, and now I only get 1 result, which is now too few.
edit:
I changed my rule to :
alert ip any any <> any 53 (msg:"site.topwebsite4.xyz"; content:"|04 73|"; sid:4000010; rev:8;)
using the content from the start of the hex i got from the pcap and i got new results, and while they were still too many, one of them gave me the correct port for question 8 when port xxxxx asked 'did you mean xxxxy' and it gave me the correct answer, so I must be on the right track.... i think.
edit2:
the port was the issue. changing it to any and running the original rule again with the content as you suggested gave me the correct rule. I'm still curious as to why whenever I tried content before, it would either give me a syntax error or 0 results unless I used the hex, but it very well could just be user error.
