[Snort-sigs] Dynamic DNS update attempt (new sig)
jhart at ...288...
Wed Nov 1 12:48:04 EST 2006
On Wed, Nov 01, 2006 at 04:31:36AM -0500, Brian wrote:
> On Tue, Oct 31, 2006 at 02:41:21PM -0800, Jon Hart wrote:
> > The signature below *should* alert on attempts to do Dynamic DNS
> > updates (not in the dyndns.org/etc sense). It does this by looking for
> > an opcode of 5 (update), followed by 1 or more zones to update, followed
> > by 0 or more pre-reqs, followed by 1 or more updates, followed by
> > 0 or more additional RRs, followed by some amount of data that should
> > contain the actual updates.
> > I'm not too good with byte_test, but in my testing this seems to work as
> > desired. The isdataat value was picked out of the air -- suggestions
> > are welcome.
> > I plan on using this sig on our internal and external DNS -- DNS updates
> > internally have bit us in the past, so hopefully this sig helps someone
> > else too.
> > Comments, complaints, etc, are welcome.
> > alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
> > attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
> > byte_test:2,^,1,0,relative; byte_test:2,>,0,0,relative;
> > byte_test:2,^,1,0,relative; isdataat:20,relative; sid:11111111; rev:1;)
> You made a repeatitive error, which causes this rule to not work as
> you expect.
> byte_test does not move the relative pointer. You are checking the
> same 2 bytes 4 times.
Good to know. The docs say relative is "Use an offset relative to last
pattern match" -- a bit misleading, but the first example in the docs
seems to back up what you say.
> BTW, there are faster ways to do "1 or more", eg "not 0"
> content:!"|00 00|";
Is content negation faster than byte_test in general, or just in this
More information about the Snort-sigs