[Snort-sigs] Dynamic DNS update attempt (new sig)

Jon Hart jhart at ...288...
Wed Nov 1 12:48:04 EST 2006


On Wed, Nov 01, 2006 at 04:31:36AM -0500, Brian wrote:
> On Tue, Oct 31, 2006 at 02:41:21PM -0800, Jon Hart wrote:
> > The signature below *should* alert on attempts to do Dynamic DNS
> > updates (not in the dyndns.org/etc sense).  It does this by looking for
> > an opcode of 5 (update), followed by 1 or more zones to update, followed
> > by 0 or more pre-reqs, followed by 1 or more updates, followed by
> > 0 or more additional RRs, followed by some amount of data that should
> > contain the actual updates.
> > 
> > I'm not too good with byte_test, but in my testing this seems to work as
> > desired.  The isdataat value was picked out of the air -- suggestions
> > are welcome.
> > 
> > I plan on using this sig on our internal and external DNS -- DNS updates
> > internally have bit us in the past, so hopefully this sig helps someone
> > else too.
> > 
> > Comments, complaints, etc, are welcome.
> > 
> > alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
> > attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
> > byte_test:2,^,1,0,relative; byte_test:2,>,0,0,relative;
> > byte_test:2,^,1,0,relative; isdataat:20,relative;  sid:11111111; rev:1;)
> 
> You made a repeatitive error, which causes this rule to not work as
> you expect.
> 
> byte_test does not move the relative pointer.  You are checking the
> same 2 bytes 4 times. 

Good to know.  The docs say relative is "Use an offset relative to last
pattern match" -- a bit misleading, but the first example in the docs
seems to back up what you say.

> BTW, there are faster ways to do "1 or more", eg "not 0"
> 
>     content:!"|00 00|";

Is content negation faster than byte_test in general, or just in this
specific case?

Thanks,

-jon




More information about the Snort-sigs mailing list