[Snort-sigs] Dynamic DNS update attempt (new sig)

Jon Hart jhart at ...288...
Tue Oct 31 17:41:21 EST 2006

The signature below *should* alert on attempts to do Dynamic DNS
updates (not in the dyndns.org/etc sense).  It does this by looking for
an opcode of 5 (update), followed by 1 or more zones to update, followed
by 0 or more pre-reqs, followed by 1 or more updates, followed by
0 or more additional RRs, followed by some amount of data that should
contain the actual updates.

I'm not too good with byte_test, but in my testing this seems to work as
desired.  The isdataat value was picked out of the air -- suggestions
are welcome.

I plan on using this sig on our internal and external DNS -- DNS updates
internally have bit us in the past, so hopefully this sig helps someone
else too.

Comments, complaints, etc, are welcome.

alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; isdataat:20,relative;  sid:11111111; rev:1;)


More information about the Snort-sigs mailing list