[Snort-sigs] DNS Cache Poisoning
jstewart at ...5...
Thu Apr 7 13:29:25 EDT 2005
On Thursday 07 April 2005 04:02 pm, Frank Knobbe wrote:
> Of course this only applies to the .com domain (and with a slight
> change, the .net domain). Do you have any signatures for the other
> domains? We had quiet a few on Bleeding, but these triggered not only
> on responses from the root-servers reporting the authoritative gTLD
> and ccTLD servers, but also on responses from those TLD servers on
> who is the authoritative name server and on responses from those name
> servers. We finally removed them again a couple day ago.
No, I don't have any more - I want to get some feedback before rolling
out additional signatures for other domains. Also, we're going to
completely miss if the attacker decides to just poison google.com
instead of the whole TLD.
> You said you're not getting false positives. Have you actually caught
> TRUE positives with this sig?
I have pcaps of some of the original malicious packets I have tested it
Joe Stewart, GCIH
Senior Security Researcher
More information about the Snort-sigs