Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: DNS Snort Signatures; Acrobat Reader Vuln;TCP Port 1025 Traffic; Excellent DNS Article - SANS Internet Storm Center

SANS Site Network

Current Site

SANS Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Log In or Sign Up for Free!

DNS Snort Signatures; Acrobat Reader Vuln;TCP Port 1025 Traffic; Excellent DNS Article
Snort Signatures for TLD DNS packets Much thanx to Cody Hatch for all the hard work in building and testing these. These signatures require Snort version 2.3 or later. Feedback on these would be greatly appreciated as well. alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"com DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|com\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"net DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|net\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"org DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|org\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"biz DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|biz\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"edu DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|edu\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"gov DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|gov\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"int DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|int\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"mil DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|mil\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"info DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|04\|info\|00\|"; nocase; within:6; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"name DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|04\|name\|00\|"; nocase; within:6; classtype:misc-attack; sid:1600; rev:3;)\ alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"pro DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"\|c0\|"; content:"\|00 02\|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"\|03\|pro\|00\|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\ Again, many props to Cody Hatch for the work on this one. New Adobe Acrobat Reader Vulnerability NISCC has reported that Acrobat Reader contains a vulnerability which, when executed, could allow an attacker to discover local files. Yes, we know the advisory is a PDF, this isn't an April Fools joke. Thanx Adrien for the update, http://www.niscc.gov.uk/niscc/docs/re-20050401-00264.pdf More Port 1025 activity We are still seeing TCP 1025 traffic, with a new report submitted today from Michael Cloppert. His report showed a spike from external sources, in excess of 10,000 hosts. If anybody has captures of TCP 1025 traffic it would greatly help in our analysis. DNS and the future Given the current activity with DNS Cache poisoning that we are dealing with, it was suggested by one of the Handlers that this might be some good reading. (It is good reading, highly recommend it) http://www.nap.edu/execsumm_pdf/11258.pdf	Tony 150 Posts ISC Handler Apr 2nd 2005
Thread locked Subscribe	Apr 2nd 2005 1 decade ago

Sign Up for Free or Log In to start participating in the conversation!