[Snort-sigs] Dynamic DNS update attempt (new sig)

Brian bmc at ...95...
Wed Nov 1 04:31:36 EST 2006

On Tue, Oct 31, 2006 at 02:41:21PM -0800, Jon Hart wrote:
> The signature below *should* alert on attempts to do Dynamic DNS
> updates (not in the dyndns.org/etc sense).  It does this by looking for
> an opcode of 5 (update), followed by 1 or more zones to update, followed
> by 0 or more pre-reqs, followed by 1 or more updates, followed by
> 0 or more additional RRs, followed by some amount of data that should
> contain the actual updates.
> I'm not too good with byte_test, but in my testing this seems to work as
> desired.  The isdataat value was picked out of the air -- suggestions
> are welcome.
> I plan on using this sig on our internal and external DNS -- DNS updates
> internally have bit us in the past, so hopefully this sig helps someone
> else too.
> Comments, complaints, etc, are welcome.
> alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
> attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
> byte_test:2,^,1,0,relative; byte_test:2,>,0,0,relative;
> byte_test:2,^,1,0,relative; isdataat:20,relative;  sid:11111111; rev:1;)

You made a repeatitive error, which causes this rule to not work as
you expect.

byte_test does not move the relative pointer.  You are checking the
same 2 bytes 4 times. 

BTW, there are faster ways to do "1 or more", eg "not 0"

    content:!"|00 00|";


More information about the Snort-sigs mailing list