[Snort-sigs] Advanced DNS rules

Mark Andrews marka at ...3631...
Sun Feb 19 16:02:55 EST 2012


In message <CAKEvj1BZ8YE7cE4OLwsCgTBF83YC1j8YvN-u=9ZPSSnhvcpcCg at ...2421...>
, Curt Shaffer writes:
> I'm looking for some information on way to look for malformed DNS
> packets. Mainly looking for large UDP requests (dsize:>512) that are
> NOT DNSSEC related, and a rule looking for the reserved flag (Z),
> reference here: http://www.networksorcery.com/enp/protocol/dns.htm#Z,
> in the DNS Flags field. I'm having trouble finding decent
> documentation. I have the following:
> 
> Detects large packets, but want this to alert only if we are not using DNSSEC
> :

Why are you wanting to reject legitimate DNS traffic.  DNSSEC depends
on EDNS but EDNS exists independently of DNSSEC.  There are lots
of reasons why a EDNS UDP response would be bigger than 512 bytes
and it not be DNSSEC related.

Below is a example of a perfectly legitimate EDNS response > 512 bytes
that does not involve DNSSEC.

; <<>> DiG 9.7.3-P3 <<>> foo.com @a.root-servers.net +edns=0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45266
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;foo.com.			IN	A

;; AUTHORITY SECTION:
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.	172800	IN	A	192.5.6.30
a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
b.gtld-servers.net.	172800	IN	A	192.33.14.30
b.gtld-servers.net.	172800	IN	AAAA	2001:503:231d::2:30
c.gtld-servers.net.	172800	IN	A	192.26.92.30
d.gtld-servers.net.	172800	IN	A	192.31.80.30
e.gtld-servers.net.	172800	IN	A	192.12.94.30
f.gtld-servers.net.	172800	IN	A	192.35.51.30
g.gtld-servers.net.	172800	IN	A	192.42.93.30
h.gtld-servers.net.	172800	IN	A	192.54.112.30
i.gtld-servers.net.	172800	IN	A	192.43.172.30
j.gtld-servers.net.	172800	IN	A	192.48.79.30
k.gtld-servers.net.	172800	IN	A	192.52.178.30
l.gtld-servers.net.	172800	IN	A	192.41.162.30
m.gtld-servers.net.	172800	IN	A	192.55.83.30

;; Query time: 200 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Mon Feb 20 07:59:19 2012
;; MSG SIZE  rcvd: 524

> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:" Inbound Large DNS
> Packet Detected NOT DNSSEC";  dsize:> 512; classtype:dns;  sid:xxxxx;
> rev:1; )
> 
> The following I thought would work for the reserved bit (Z), but I am
> getting alerts even when the bit is not set:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Reserved Bit
> Set"; content:!"|00|"; offset:25; classtype:dns; sid:9000246; rev:1;)
> 
> Can anyone point me at some documentation for Snort on these topics or
> lend a hand to help see what I'm missing?
> 
> Thanks
> 
> Curt
> 
> -----------------------------------------------------------------------------
> -
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing 
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at ...3631...




More information about the Snort-sigs mailing list