[Snort-sigs] [Snort-users] Detecting cross reference at DNS decompression by a snort rule (fwd)

rmkml rmkml at ...174...
Fri May 27 12:08:06 EDT 2011


FYI


---------- Forwarded message ----------
Date: Fri, 27 May 2011 12:18:35 +0200 (CEST)
From: rmkml <rmkml at ...174...>
To: anvari85 at ...2420...
Cc: snort-users at lists.sourceforge.net, rmkml at ...174...
Subject: Re: [Snort-users] Detecting cross reference at DNS decompression by a
     snort rule

Hi anvari85,
Yes, it's a dns compression loop DoS...
dns query "start" with compressed bytes (\xc0\x0e) at \xc0\x0c, at \xc0\x0e contains compressed bytes (\xc0\x0c): loop!
a dns query never start with compressed bytes... (comments are welcome)

Note, snort v2905 alert on zlip-2.pcap:
   04/11-19:48:09.550140  [**] [116:98:1] (snort_decoder) WARNING: Long UDP packet, length field < payload length [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 10.0.0.1:0 -> 146.84.28.88:0
Regards
Rmkml


On Fri, 27 May 2011, سعید انواری wrote:

> Hello.I want to write a snort rule to detect DNS exploit as a result of endless cross referencing in DNS compression message. especially, I mean zlip-2.pcap packet ( zlip-2.pcap ).
> can somebody help me? 
> Thanks.  
>
>


More information about the Snort-sigs mailing list