[Snort-users] Secure - NSLOOKUP

Joseph Hager Joseph.Hager at ...1108...
Mon Jan 8 15:24:31 EST 2001


Actually I'm more concerned with snort monitoring internal activities of a
network with then attacks from the Internet.  Firewalls, Sessionwall,
webtrends, etc.. is doing a good job at catching/logging/tracking/blocking
most attacks and failed connection attempts.  Snort does a good job at
picking up the odd things internally that some of the other tools available
don't really do effectively.  So in a nutshell.. regardless if I run snort
with 1 rule or a 1000 I'd like to log more historical informative than just
IP's.  With DHCP leases that expire.. it would be nice to go back 30 days
and look through my logs in house.. and see that 10.10.10.100 was
john.doe.dhcp.10.100.domain.com.

 -----Original Message-----
From: 	Gregor Binder [mailto:gbinder at ...462...] 
Sent:	Monday, January 08, 2001 2:28 PM
To:	Joseph Hager
Cc:	Gregor Binder; snort-users at lists.sourceforge.net
Subject:	Re: [Snort-users] Secure - NSLOOKUP

Joseph Hager on Mon, Jan 08, 2001 at 12:57:07PM -0500:

Hi,

> If a person has that much access to your box.. the script that I'm
> requesting is hardly going to be an issue.. don't you think?  And my
> thoughts on creating a ip.cache type file.. would help prevent the DoS
> attack by only requesting a lookup once per "X" amount of time.  I don't
see
> it being any more of an issue then if a person was simply portscanning a
> network and forcing snort to log that information to syslog.

If everything people are doing were simple portscans, I would not run
snort at all. I am assuming a clever attacker who knows that this
functionality exists in snort. He will most likely not fire up nessus
and throw 500 or more signatures at you, nor will he run a portscan
that will be easy to detect. If I knew you run such a system, and I
wanted to be clever, I'd try a few exploits against you from different
hosts under my control, and see which ones result in a reverse lookup
on that IP from your system. Not only will this maybe give me the IP
of your sensor, it will also show me what you know about and what not
(in terms of signatures).

As far as the fork-DoS goes, have somebody running a distributed DoS
against you, or send you a few hundred spoofed packets with different
source addresses and something that will cause an alert, and your box
will happily spawn as many nslookups that will certainly take longer
to complete than it takes to send the packets. -> DoS :)

I would have a tendency to post-process your logs (every night from cron
or something) or use a frontend that can do DNS lookups when you want
them. Stealthy and safe ;)

Regards,
  Gregor.

-- 
Gregor Binder  <gregor.binder at ...462...>  http://sysfive.com/~gbinder/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany         TEL +49-40-63647482
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list