[Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667

waldo kitty wkitty42 at ...3507...
Sat Nov 10 09:35:17 EST 2012


On 11/10/2012 06:44, yew chuan Ong wrote:
> Thanks Waldo Kitty!
>
> So usually what you guys do when you get this sig triggered?

in our case, we accept DNS updates only from specific systems... any others 
attempting to feed DNS data to us are blocked...

this is something you need to take a close look at and fully understand, 
though... the DNS system is required for proper operation on most networks... 
one can all too easily "knock everyone off" by blocking the wrong system(s)... 
one can also cause problems with performing whois, ipblock and nslookup 
functions if they block the wrong IPs... this is a delicate area, for sure...

>
> --------------------------------------------------------------------------------
> *From:* waldo kitty <wkitty42 at ...3507...>
> *To:* snort-sigs at lists.sourceforge.net
> *Sent:* Friday, November 9, 2012 10:31 PM
> *Subject:* Re: [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667
>
> On 11/8/2012 23:31, yew chuan Ong wrote:
>  > Hi All,
>  >
>  > I found this rule under so_rules.
>
> yeah, i wish they'd use other category filenames for GID 3 rules instead of
> using the same ones GID 1 uses... perhaps they should prefix those category
> filenames and MSG texts with SO_ to make it more obvious? there are times that
> GID:3 just gets lost in sight...
>
>  > I also found a thread discussing GID:3... http://seclists.org/snort/2010/q1/190
>  > Since we have no idea how the sig works (in term of detection method), how can
>  > we analyze it?
>
> simply put, you cannot... you need the source code and that is not available to
> the general public, AFAIK...
>
>  > Appreciate if anyone can response. Thanks!
>  >
>  >
>  > Regards
>  > Yew Chuan
>  > --------------------------------------------------------------------------------
>  > *From:* yew chuan Ong
>  > *To:* "snort-sigs at lists.sourceforge.net
> <mailto:snort-sigs at lists.sourceforge.net>"
>  > *Sent:* Thursday, November 8, 2012 3:33 PM
>  > *Subject:* [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667
>  >
>  > Hi,
>  >
>  > I found the description of this sig here -
>  > http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/so_rules/bad-traffic.rules.
>  >
>  > But, when I downloaded the rules from Snort, I found nothing related inside
>  > bad-traffic.rules. Any ideas?
>  >
>  > This sig is still enabled by default right?
>  >
>  > Thanks!





More information about the Snort-sigs mailing list