AnsweredAssumed Answered

Using payload meta and analyzing DNS requests

Question asked by KEVIN DIENST on Mar 31, 2016
Latest reply on Feb 10, 2017 by Christopher Ahearn

Original Thread: Searching for a specific packet size


have a use case to monitor DNS payloads for irregularities.


Is it possible and appropriate to use the following app rule syntax to find any DNS packet/session where the payload is over 100 bytes. (Per IETF max DNS payload per protocol is 512 bytes)


service = '53' && payload = 100-u


I see the info above in the thread about using tag = l-10000 for less than 10k, but not sure on format for greater than.


Thanks for your help!