[Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667

yew chuan Ong yewchuan_23 at ...144...
Thu Nov 8 23:31:59 EST 2012

Hi All,

I found this rule under so_rules.

I also found a thread discussing GID:3... http://seclists.org/snort/2010/q1/190
Since we have no idea how the sig works (in term of detection method), how can we analyze it?

Appreciate if anyone can response. Thanks!

Yew Chuan

 From: yew chuan Ong <yewchuan_23 at ...144...>
To: "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net> 
Sent: Thursday, November 8, 2012 3:33 PM
Subject: [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667


I found the description of this sig here - http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/so_rules/bad-traffic.rules.

But, when I downloaded the rules from Snort, I found nothing related inside bad-traffic.rules. Any ideas? 

This sig is still enabled by default right?


Yew Chuan
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121108/ae8f2ab7/attachment.html>

More information about the Snort-sigs mailing list