Snort Signatures for TLD DNS packets

Much thanx to Cody Hatch for all the hard work in building and testing these. These signatures require Snort version 2.3 or later. Feedback on these would be greatly appreciated as well.

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"com DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|com|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"net DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|net|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"org DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|org|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"biz DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|biz|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"edu DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|edu|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"gov DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|gov|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"int DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|int|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"mil DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|mil|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"info DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|04|info|00|"; nocase; within:6; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"name DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|04|name|00|"; nocase; within:6; classtype:misc-attack; sid:1600; rev:3;)\

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"pro DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|pro|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\

Again, many props to Cody Hatch for the work on this one.

New Adobe Acrobat Reader Vulnerability

NISCC has reported that Acrobat Reader contains a vulnerability which, when executed, could allow an attacker to discover local files. Yes, we know the advisory is a PDF, this isn't an April Fools joke.

Thanx Adrien for the update,

http://www.niscc.gov.uk/niscc/docs/re-20050401-00264.pdf

More Port 1025 activity

We are still seeing TCP 1025 traffic, with a new report submitted today from Michael Cloppert. His report showed a spike from external sources, in excess of 10,000 hosts.

If anybody has captures of TCP 1025 traffic it would greatly help in our analysis.

DNS and the future

Given the current activity with DNS Cache poisoning that we are dealing with, it was suggested by one of the Handlers that this might be some good reading. (It *is* good reading, highly recommend it)

http://www.nap.edu/execsumm_pdf/11258.pdf