Snort Signatures for TLD DNS packetsMuch thanx to Cody Hatch for all the hard work in building and testing these. These signatures require Snort version 2.3 or later. Feedback on these would be greatly appreciated as well. alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"com DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|com|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"net DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|net|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"org DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|org|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"biz DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|biz|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"edu DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|edu|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"gov DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|gov|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"int DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|int|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"mil DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|mil|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"info DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|04|info|00|"; nocase; within:6; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"name DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|04|name|00|"; nocase; within:6; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"pro DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|pro|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ Again, many props to Cody Hatch for the work on this one. New Adobe Acrobat Reader VulnerabilityNISCC has reported that Acrobat Reader contains a vulnerability which, when executed, could allow an attacker to discover local files. Yes, we know the advisory is a PDF, this isn't an April Fools joke. Thanx Adrien for the update, http://www.niscc.gov.uk/niscc/docs/re-20050401-00264.pdf More Port 1025 activityWe are still seeing TCP 1025 traffic, with a new report submitted today from Michael Cloppert. His report showed a spike from external sources, in excess of 10,000 hosts. If anybody has captures of TCP 1025 traffic it would greatly help in our analysis. DNS and the futureGiven the current activity with DNS Cache poisoning that we are dealing with, it was suggested by one of the Handlers that this might be some good reading. (It *is* good reading, highly recommend it) http://www.nap.edu/execsumm_pdf/11258.pdf |
Tony 150 Posts ISC Handler Apr 2nd 2005 |
Thread locked Subscribe |
Apr 2nd 2005 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!