[Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667

yew chuan Ong yewchuan_23 at ...144...
Sat Nov 10 06:44:15 EST 2012


Thanks Waldo Kitty!

So usually what you guys do when you get this sig triggered? 


________________________________
 From: waldo kitty <wkitty42 at ...3507...>
To: snort-sigs at lists.sourceforge.net 
Sent: Friday, November 9, 2012 10:31 PM
Subject: Re: [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667
 
On 11/8/2012 23:31, yew chuan Ong wrote:
> Hi All,
>
> I found this rule under so_rules.

yeah, i wish they'd use other category filenames for GID 3 rules instead of 
using the same ones GID 1 uses... perhaps they should prefix those category 
filenames and MSG texts with SO_ to make it more obvious? there are times that 
GID:3 just gets lost in sight...

> I also found a thread discussing GID:3... http://seclists.org/snort/2010/q1/190
> Since we have no idea how the sig works (in term of detection method), how can
> we analyze it?

simply put, you cannot... you need the source code and that is not available to 
the general public, AFAIK...

> Appreciate if anyone can response. Thanks!
>
>
> Regards
> Yew Chuan
> --------------------------------------------------------------------------------
> *From:* yew chuan Ong
> *To:* "snort-sigs at lists.sourceforge.net"
> *Sent:* Thursday, November 8, 2012 3:33 PM
> *Subject:* [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667
>
> Hi,
>
> I found the description of this sig here -
> http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/so_rules/bad-traffic.rules.
>
> But, when I downloaded the rules from Snort, I found nothing related inside
> bad-traffic.rules. Any ideas?
>
> This sig is still enabled by default right?
>
> Thanks!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121110/2217a153/attachment.html>


More information about the Snort-sigs mailing list