The goal of the rule is to detect DNS query to youtube.com; simple enough. I will be matching on hex value of the content. It’s crucial to understand how the payload is encapsulated within the packet before writing any rules. A quick packet capture while browsing youtube and looking for any DNS query will show the target packet we are looking for.
As per the packet capture, the hex value for the DNS query is “77 77 77 07 79 6f 75 74 75 62 65 03 63 6f 6d”. Hex value is identified by a pair of “| |” (pipes) surrounding the actual hex content that is being matched. Based on the hex value, the rule will be as follows.
alert udp any any -> any 53 (msg:”Youtube - DNS Query” ; content:"|77 77 77 07 79 6f 75 74 75 62 65 03 63 6f 6d|"; sid:1000002)
02/04-11:36:55.226182 [**] [1:1000002:0] ”Youtube - DNS Query” [**] [Priority: 0] {UDP} X.X.X.X:8120 -> 8.8.8.8:53