[Snort-devel] a doozie of a metaphysical question

tlewis at ...255... tlewis at ...255...
Wed Jun 13 10:12:36 EDT 2001

1) I disagree with you about DNS being well-formed.  Other than the
restricted opcode and rcode ranges, the header is indistinguishable
from line noise.  Relying on two four-bit values not randomly hitting
a 40% target ain't my idea of reliable.  There surely is no "Hello!
I'm a DNS packet, DNS version x.y" fixed header element or anything.
For NTP, are you going to rely on clock type being legal?  Check your
system clock and then look for a leap indicator?

A night of beer on me at this month's usenix if you can code up something
that can pseudo-reliably (>90%) distinguish between arbitrary DNS and
NTP packets.  Remember, since we're looking for attacks, you can't rely
on the statistical behaviour of these packets.  In fact, now that I think
about it, you can't rely on DNS opcode or rcode ranges to identify DNS
packets, since having illegal values for these is a very good attack.

2) What about echo v irc?  https v ldaps?  tcp port 2 v tcp port 3?

Todd Lewis
tlewis at ...255...

On Wed, 13 Jun 2001, Erik Fichtner wrote:

> Hash: SHA1
> On Tue, Jun 12, 2001 at 10:35:05PM -0400, tlewis at ...255... wrote:
> > If you see a UDP packet with a source port of 123 (NTP) and a destination
> > port of 53 (DNS), then what protocol should you assume is used in that
> > packet?  
> You shouldn't assume anything, IMHO.  NTP and DNS both have nice identifying
> characteristics inside the packet.   Couple extra checks, but it shouldn't
> affect the overall processing time in any terribly significant way..
> - -- 
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> +nisYKRigU8DLntvcdpgMXw=
> =YVbA

More information about the Snort-devel mailing list