[Snort-users] Identifying dnsspoof

Brent Erickson erickson at ...239...
Thu Jan 4 09:27:34 EST 2001


Hello fellow Snorters,

I really do appreciate the DNSSPOOF signature. I tried it but received a
carload of false positives so I had to disable it. Many DNS servers set the
ttl to a very low value. So the sig needs more refining.

Brent Erickson

----- Original Message -----
From: "Brian Kifiak" <bk at ...1044...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, January 04, 2001 5:10 PM
Subject: Re: [Snort-users] Identifying dnsspoof


> > I've never seen a legitimate standard query response with such a
> > short Time to live value.
>
> i've seen dynamic dns providers set their ttl as low as 5 seconds.
>
> others use different values, still under a minute.  here's a random
> example (the ttl is 20 s).
>
> ; dnsq a quake.dyndns.com ns.dyndns.com
> 1 quake.dyndns.com:
> 143 bytes, 1+2+2+2 records, response, authoritative, weird ra, noerror
> query: 1 quake.dyndns.com
> answer: quake.dyndns.com 20 CNAME telia.suger.dyndns.com
> answer: telia.suger.dyndns.com 20 A 193.12.69.120
> authority: dyndns.com 20 NS ns.dyndns.com
> authority: dyndns.com 20 NS ns2.dyndns.com
> additional: ns.dyndns.com 20 A 205.197.182.156
> additional: ns2.dyndns.com 20 A 205.197.182.157
> ;
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>





More information about the Snort-users mailing list