[Snort-sigs] new rule for detect windows NAT DNS DoS

M. Shirk shirkdog_list at ...12...
Tue Oct 31 11:22:08 EST 2006


This is what I had.

Its the Query, with the other values set to null.

alert tcp $HOME_NET any -> any 53 (msg:"DNS Goes bad on Windows"; 
content:"|01 00|"; offset: 2; byte_test:8,=,0,0,relative; rev:1; sid:666; )

Shirkdog
http://www.shirkdog.us





>From: Blake Hartstein <bhartstein at ...274...>
>To: rmkml <rmkml at ...324...>
>CC: Snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] new rule for detect windows NAT DNS DoS
>Date: Tue, 31 Oct 2006 08:01:26 -0800
>
>My data shows this also valid over tcp.
>This rule is too generic, I tested it with a large amount of DNS traffic
>and legitimate requests cause false positives very frequently, namely:
>
>The header field "Questions" has a value of 00 01
>And the data following contains multiple null bytes.
>
>Is there a better way to anchor this detection?
>
>-Blake
>
>
>rmkml wrote:
> > Hi,
> >
> > please check and maybe add this new rule :
> >
> > dns.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Windows
> > NAT DoS attempt"; content:"|01 00|"; offset:2; content:"|00 00|";
> > offset:10; reference:cve,2006-5614; classtype:bad-unknown; rev:1;)
> >
> > "Overview: Microsoft Windows NAT Helper components (ipnathlp.dll) on
> > windows XP SP2, when internet connection sharing is enabled, allows 
>remote
> > attackers to cause DoS (svchost.exe crash) via malformed DNS query, 
>which
> > results in a null pointer dereference."
> >
> > Any suggestions and improvements are welcome,
> >
> > This rule is offered by Crusoe Researches (Team)
> > http://www.crusoe-researches.com
> >
> > Regards
> > Rmkml
> >
> > 
>-------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services, 
>security?
> > Get stuff done quickly with pre-integrated technology to make your job 
>easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache 
>Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
>--
>This email and any files transmitted with it are solely intended for the 
>use of the addressee(s) and may contain information that is confidential 
>and privileged.  If you receive this email in error, please advise us by 
>return email immediately. Please also disregard the contents of the email, 
>delete it and destroy any copies immediately.  Demarc Security, Inc. does 
>not accept liability for the views expressed in the email or for the 
>consequences of any computer viruses that may be transmitted with this 
>email.
>
>This email is also subject to copyright. No part of it should be 
>reproduced, adapted or transmitted without the written consent of the 
>copyright owner.
>
>
>-------------------------------------------------------------------------
>Using Tomcat but need to do more? Need to support web services, security?
>Get stuff done quickly with pre-integrated technology to make your job 
>easier
>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Stay in touch with old friends and meet new ones with Windows Live Spaces 
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us





More information about the Snort-sigs mailing list