AnsweredAssumed Answered

Using payload meta and analyzing DNS requests

Question asked by KEVIN DIENST on Mar 31, 2016
Latest reply on Feb 10, 2017 by Christopher Ahearn

Original Thread: Searching for a specific packet size

 

have a use case to monitor DNS payloads for irregularities.

 

Is it possible and appropriate to use the following app rule syntax to find any DNS packet/session where the payload is over 100 bytes. (Per IETF max DNS payload per protocol is 512 bytes)

 

service = '53' && payload = 100-u

 

I see the info above in the thread about using tag = l-10000 for less than 10k, but not sure on format for greater than.

 

Thanks for your help!

Outcomes