[Snort-sigs] DNS Cache Poisoning

Jaramillo, Paul D [CC] Paul.D.Jaramillo at ...2992...
Wed Apr 6 10:28:15 EDT 2005


> Anybody got a decent sig for this yet? I tried the one posted by ISC
> and it generates a continuous stream of false positives.
> 
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"com DNS cache
> poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50;
> content:"|c0|"; content:"|00 02|"; distance:1; within:2;
> byte_jump:1,-3,relative,from_beginning; content:"|03|com|00|"; nocase;
> within:5; classtype:misc-attack; sid:1600; rev:3;)
> 
> Paul D. Jaramillo
> Security Event Management
> Sprint Corporate Security
> 913-315-8036
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050406/3a691d35/attachment.html>


More information about the Snort-sigs mailing list