The following example illustrates how to detect non-DNS traffic on port 53. Normally, only DNS or krb5 should show up on port 53.
|
function flow_proto_mismatch_53 (dpiMsg, ruleEngine) local port_dst = GetInt(dpiMsg, 'internal', 'destport') if port_dst ~= 53 then return false end local apps = {dns=true, krb5=true} local my_application = GetLatestApplication(dpiMsg) if not apps[my_application] then SetCustomField(dpiMsg, "proto_mismatch", '53') TriggerUserAlarm(dpiMsg, ruleEngine, 'medium') end end |