[Snort-sigs] Advanced DNS rules

Mark Andrews marka at ...3631...
Sun Feb 19 19:13:18 EST 2012

In message <CAKEvj1DYZiCJEg4EHMHO2qyGpZO1hmh47gK4PSeX5+Ef+s1jiw at ...2421...>
, Curt Shaffer writes:
> It is more about just looking for large malformed DNS requests. I
> don't want to catch legitimate DNS requests that would be large such
> as DNSSEC or valid EDNS. Think of a DNS packet fill with 0x41's at
> 1000 bytes. Certainly not something I want. That is just an example
> more than exactly what I'm trying to do. Maybe it would make sense to
> make the dsize there a little larger. It would be great to have a rule
> that says over 768 bytes that is not DNSSEC or EDNS ultimately.

Then you need to properly parse the entire DNS response and make
sure it is internally consistent.  There is no magic size.  There
are 4096 byte EDNS UDP responses that don't involve DNSSEC.  There
could be 8K EDNS UDP responses in the future.  As far as I am aware
no one currently advertises a 8K buffer but it is permitted by the

Even if the response is internally consistant it may not be to a
question that is asked.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at ...3631...

More information about the Snort-sigs mailing list