[Snort-users] Identifying dnsspoof
erickson at ...239...
Thu Jan 4 09:27:34 EST 2001
Hello fellow Snorters,
I really do appreciate the DNSSPOOF signature. I tried it but received a
carload of false positives so I had to disable it. Many DNS servers set the
ttl to a very low value. So the sig needs more refining.
----- Original Message -----
From: "Brian Kifiak" <bk at ...1044...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, January 04, 2001 5:10 PM
Subject: Re: [Snort-users] Identifying dnsspoof
> > I've never seen a legitimate standard query response with such a
> > short Time to live value.
> i've seen dynamic dns providers set their ttl as low as 5 seconds.
> others use different values, still under a minute. here's a random
> example (the ttl is 20 s).
> ; dnsq a quake.dyndns.com ns.dyndns.com
> 1 quake.dyndns.com:
> 143 bytes, 1+2+2+2 records, response, authoritative, weird ra, noerror
> query: 1 quake.dyndns.com
> answer: quake.dyndns.com 20 CNAME telia.suger.dyndns.com
> answer: telia.suger.dyndns.com 20 A 22.214.171.124
> authority: dyndns.com 20 NS ns.dyndns.com
> authority: dyndns.com 20 NS ns2.dyndns.com
> additional: ns.dyndns.com 20 A 126.96.36.199
> additional: ns2.dyndns.com 20 A 188.8.131.52
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
More information about the Snort-users