[Snort-users] Identifying dnsspoof

Johan.Augustsson Johan.Augustsson at ...796...
Fri Jan 5 04:43:16 EST 2001


At 06:27 2001-01-04 -0800, Brent Erickson wrote:

>I really do appreciate the DNSSPOOF signature. I tried it but received a
>carload of false positives so I had to disable it. Many DNS servers set the
>ttl to a very low value. So the sig needs more refining.

I guess I was to impatient to get a rule out that I lacked in research.
My fault.

I've been looking closer to the dnsspoof output and read some of the 
sourcecode.
It looks like it's going to be hard to make a 100% secure identification of 
a forged Standard query response A since Snort doesn't (?) have the option 
to make a rule that only triggers if the event X happends N ore more times 
within the period P. A real nameserver only sends you one response at the 
time, dnsspoof sends you at least two identical responses within one 
millisecond.

But if you get a standard query response with no authority or additional 
nameservers and the answers TTL is 1 minute you can suspect dnsspoof.
These rules may not be perfect but should minimize the risk of false alarms.


Rule for a forged "Standard query resonse A"

alert udp any 53 -> any any (msg:"Standard query response A with Time to 
live: 1 min. and no authority or additional  - DNSSPOOF"; 
content:"|81800001000100000000|"; content:"|c00c000100010000003c0004|";)


and for a forged "Standard query resonse PTR"

alert udp any 53 -> any any (msg:"Standard query response PTR with Time to 
live: 1 min. and no authority or additional  - DNSSPOOF"; 
content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|";)


Johan Augustsson





More information about the Snort-users mailing list