[Snort-sigs] Dynamic DNS update attempt (new sig)
jhart at ...288...
Tue Oct 31 17:41:21 EST 2006
The signature below *should* alert on attempts to do Dynamic DNS
updates (not in the dyndns.org/etc sense). It does this by looking for
an opcode of 5 (update), followed by 1 or more zones to update, followed
by 0 or more pre-reqs, followed by 1 or more updates, followed by
0 or more additional RRs, followed by some amount of data that should
contain the actual updates.
I'm not too good with byte_test, but in my testing this seems to work as
desired. The isdataat value was picked out of the air -- suggestions
I plan on using this sig on our internal and external DNS -- DNS updates
internally have bit us in the past, so hopefully this sig helps someone
Comments, complaints, etc, are welcome.
alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; isdataat:20,relative; sid:11111111; rev:1;)
More information about the Snort-sigs