[Snort-sigs] Advanced DNS rules

Curt Shaffer cshaffer at ...2420...
Sun Feb 19 17:31:08 EST 2012


It is more about just looking for large malformed DNS requests. I
don't want to catch legitimate DNS requests that would be large such
as DNSSEC or valid EDNS. Think of a DNS packet fill with 0x41's at
1000 bytes. Certainly not something I want. That is just an example
more than exactly what I'm trying to do. Maybe it would make sense to
make the dsize there a little larger. It would be great to have a rule
that says over 768 bytes that is not DNSSEC or EDNS ultimately.


On Sun, Feb 19, 2012 at 4:02 PM, Mark Andrews <marka at ...3631...> wrote:
>
> In message <CAKEvj1BZ8YE7cE4OLwsCgTBF83YC1j8YvN-u=9ZPSSnhvcpcCg at ...3409......>
> , Curt Shaffer writes:
>> I'm looking for some information on way to look for malformed DNS
>> packets. Mainly looking for large UDP requests (dsize:>512) that are
>> NOT DNSSEC related, and a rule looking for the reserved flag (Z),
>> reference here: http://www.networksorcery.com/enp/protocol/dns.htm#Z,
>> in the DNS Flags field. I'm having trouble finding decent
>> documentation. I have the following:
>>
>> Detects large packets, but want this to alert only if we are not using DNSSEC
>> :
>
> Why are you wanting to reject legitimate DNS traffic.  DNSSEC depends
> on EDNS but EDNS exists independently of DNSSEC.  There are lots
> of reasons why a EDNS UDP response would be bigger than 512 bytes
> and it not be DNSSEC related.
>
> Below is a example of a perfectly legitimate EDNS response > 512 bytes
> that does not involve DNSSEC.
>
> ; <<>> DiG 9.7.3-P3 <<>> foo.com @a.root-servers.net +edns=0
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45266
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;foo.com.                       IN      A
>
> ;; AUTHORITY SECTION:
> com.                    172800  IN      NS      c.gtld-servers.net.
> com.                    172800  IN      NS      f.gtld-servers.net.
> com.                    172800  IN      NS      d.gtld-servers.net.
> com.                    172800  IN      NS      j.gtld-servers.net.
> com.                    172800  IN      NS      h.gtld-servers.net.
> com.                    172800  IN      NS      g.gtld-servers.net.
> com.                    172800  IN      NS      b.gtld-servers.net.
> com.                    172800  IN      NS      e.gtld-servers.net.
> com.                    172800  IN      NS      k.gtld-servers.net.
> com.                    172800  IN      NS      m.gtld-servers.net.
> com.                    172800  IN      NS      i.gtld-servers.net.
> com.                    172800  IN      NS      a.gtld-servers.net.
> com.                    172800  IN      NS      l.gtld-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.gtld-servers.net.     172800  IN      A       192.5.6.30
> a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
> b.gtld-servers.net.     172800  IN      A       192.33.14.30
> b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30
> c.gtld-servers.net.     172800  IN      A       192.26.92.30
> d.gtld-servers.net.     172800  IN      A       192.31.80.30
> e.gtld-servers.net.     172800  IN      A       192.12.94.30
> f.gtld-servers.net.     172800  IN      A       192.35.51.30
> g.gtld-servers.net.     172800  IN      A       192.42.93.30
> h.gtld-servers.net.     172800  IN      A       192.54.112.30
> i.gtld-servers.net.     172800  IN      A       192.43.172.30
> j.gtld-servers.net.     172800  IN      A       192.48.79.30
> k.gtld-servers.net.     172800  IN      A       192.52.178.30
> l.gtld-servers.net.     172800  IN      A       192.41.162.30
> m.gtld-servers.net.     172800  IN      A       192.55.83.30
>
> ;; Query time: 200 msec
> ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
> ;; WHEN: Mon Feb 20 07:59:19 2012
> ;; MSG SIZE  rcvd: 524
>
>> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:" Inbound Large DNS
>> Packet Detected NOT DNSSEC";  dsize:> 512; classtype:dns;  sid:xxxxx;
>> rev:1; )
>>
>> The following I thought would work for the reserved bit (Z), but I am
>> getting alerts even when the bit is not set:
>>
>> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Reserved Bit
>> Set"; content:!"|00|"; offset:25; classtype:dns; sid:9000246; rev:1;)
>>
>> Can anyone point me at some documentation for Snort on these topics or
>> lend a hand to help see what I'm missing?
>>
>> Thanks
>>
>> Curt
>>
>> -----------------------------------------------------------------------------
>> -
>> Virtualization & Cloud Management Using Capacity Planning
>> Cloud computing makes use of virtualization - but cloud computing
>> also focuses on allowing computing to be delivered as a service.
>> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at ...202....3631...




More information about the Snort-sigs mailing list