[Snort-devel] a doozie of a metaphysical question

tlewis at ...255... tlewis at ...255...
Wed Jun 13 11:40:19 EDT 2001


On Wed, 13 Jun 2001, Erik Fichtner wrote:

> On Wed, Jun 13, 2001 at 10:12:36AM -0400, tlewis at ...255... wrote:
> > In fact, now that I think about it, you can't rely on DNS opcode or rcode 
> > ranges to identify DNS packets, since having illegal values for these is 
> > a very good attack.
> 
> Pshaw.   It's very hard to tell what something IS, but it's not very 
> hard at all to tell what something ISN'T.
> 
> "This ISN'T a sensible DNS packet... Perhaps it should be looked at further..."

And what about the non-sensical DNS packets that are actually destined for
DNS servers, where they will trigger very-sensible buffer overflows?  We're
not writing tcpdump here; we're writing an IDS.

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list