[Snort-sigs] DNS Cache Poisoning

Joe Stewart jstewart at ...5...
Thu Apr 7 13:29:25 EDT 2005


On Thursday 07 April 2005 04:02 pm, Frank Knobbe wrote:
> Of course this only applies to the .com domain (and with a slight
> change, the .net domain). Do you have any signatures for the other
> domains? We had quiet a few on Bleeding, but these triggered not only
> on responses from the root-servers reporting the authoritative gTLD
> and ccTLD servers, but also on responses from those TLD servers on
> who is the authoritative name server and on responses from those name
> servers. We finally removed them again a couple day ago.

No, I don't have any more - I want to get some feedback before rolling 
out additional signatures for other domains. Also, we're going to 
completely miss if the attacker decides to just poison google.com 
instead of the whole TLD.

> You said you're not getting false positives. Have you actually caught
> TRUE positives with this sig?

I have pcaps of some of the original malicious packets I have tested it 
against.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/




More information about the Snort-sigs mailing list