[Snort-sigs] PROTOCOL-DNS DNS query amplification attempt (1:28556)

Geoffrey Serrao gserrao at ...435...
Mon May 4 10:51:25 EDT 2015


He may want to check the destination address' DNS conf to make sure that
it's properly configured and not responding to requests from 0.0.0.0/0.

More information about open DNS resolvers can be found here:
http://www.openresolverproject.org/

On Mon, May 4, 2015 at 10:35 AM, Al Lewis (allewi) <allewi at ...3865...> wrote:

>
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query
> amplification attempt"; flow:to_server; content:"|00 01|"; depth:2;
> offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2;
> content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative;
> metadata:policy security-ips drop, ruleset community, service dns;
> reference:url,www.us-cert.gov/ncas/alerts/TA13-088A;
> classtype:attempted-dos; sid:28556; rev:2; )
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...3865...
>
>
>
> *From:* Mustaque [mailto:mustaque.ahmad at ...4030...]
> *Sent:* Monday, May 04, 2015 1:58 AM
> *To:* snort-sigs at lists.sourceforge.net
> *Subject:* [Snort-sigs] PROTOCOL-DNS DNS query amplification attempt
> (1:28556)
>
>
>
> Hi,
>
>
>
> I cant see the packet information to investigate the integrity of this
> rule. And what this rule does? Need more info.
>
>
>
> Thanks and Regards
>
> Mustaque
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150504/a016717f/attachment.html>


More information about the Snort-sigs mailing list