[Snort-sigs] Crashlytics via Umbrella FP

James Lay jlay at ...3266...
Sat Feb 18 10:45:43 EST 2017


Appears to fire off:

Feb 18 08:28:28 snort[10548]: [3:13667:18] PROTOCOL-DNS dns cache
poisoning attempt [Classification: Misc Attack] [Priority: 2] {UDP}
208.67.220.220:53 -> 192.168.1.100:56800

Started on the third of this month...figured it was high-time I
reported it.  From the unified file:

(Event)
	sensor id: 0	event id: 140	event second:
1487430548	event microsecond: 97921
	sig id: 13667	gen id: 3	revision: 18	 clas
sification: 30
	priority: 2	ip source: 208.67.222.222	ip
destination: 192.168.1.100
	src port: 53	dest port: 52581	protocol: 17	
impact_flag: 0	blocked: 0

Packet
	sensor id: 0	event id: 140	event second:
1487430548
	packet second: 1487430548	packet microsecond: 97921
	linktype: 1	packet_length: 99
[    0] F0 DC E2 CD 5E 5E 00 22 41 33 12 B2 08 00 45
00  ....^^."A3....E.
[   16] 00 55 B0 FB 40 00 40 11 18 6E D0 43 DE DE C0
A8  .U.. at ...180...@..n.C....
[   32] 01 64 00 35 CD 65 00 41 71 81 10 B0 85 80 00
01  .d.5.e.Aq.......
[   48] 00 01 00 00 00 00 07 72 65 70 6F 72 74 73 0B
63  .......reports.c
[   64] 72 61 73 68 6C 79 74 69 63 73 03 63 6F 6D 00
00  rashlytics.com..
[   80] 01 00 01 C0 0C 00 01 00 01 00 00 00 00 00 04
00  ................
[   96] 00 00 00                                         ...

And the rule:

alert udp any 53 -> any any (msg:"PROTOCOL-DNS dns cache poisoning
attempt"; sid:13667; gid:3; rev:18; classtype:misc-attack;
reference:cve,2008-0087; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS08-020; reference:cve,2008-1447;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-037;
reference:cve,1999-0024; reference:url,www.kb.cert.org/vuls/id/800113;
reference:cve,2009-0233; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS09-008; reference:cve,2007-3898;
reference:cve,2009-0234; metadata: engine shared, soid 3|13667, service
dns, policy max-detect-ips drop;)

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170218/be098997/attachment.html>


More information about the Snort-sigs mailing list