[Snort-sigs] DNS Cache Poisoning

Frank Knobbe frank at ...1978...
Thu Apr 7 13:02:51 EDT 2005

On Thu, 2005-04-07 at 14:46 -0500, Joe Stewart wrote:
> byte_jump:1,-3,relative,from_beginning; content:"|03|com|00|"; nocase; 
> within:5; classtype:misc-attack; sid:1600; rev:4;)
> Basically the changes are: it looks a for packet with fewer than 7 
> authority records (there should usually be 12 or 13, but who knows if 
> you find a server with an old root hints file) and where the .com label 
> follows an IP address (meaning it's probably the start of a new record 
> and not part of a larger text label).

Of course this only applies to the .com domain (and with a slight
change, the .net domain). Do you have any signatures for the other
domains? We had quiet a few on Bleeding, but these triggered not only on
responses from the root-servers reporting the authoritative gTLD and
ccTLD servers, but also on responses from those TLD servers on who is
the authoritative name server and on responses from those name servers.
We finally removed them again a couple day ago.

You said you're not getting false positives. Have you actually caught
TRUE positives with this sig?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050407/e21129cd/attachment.sig>

More information about the Snort-sigs mailing list