[Snort-users] Question about SO Rule 3:21355

Patrick Mullen pmullen at ...1935...
Thu Sep 5 09:23:15 EDT 2013


Jeremy,

Thank you for your query.  Before I begin, I would like to remind
everyone that the purpose of Shared Object Rules is to provide the
ability to write rules in C, not to obfuscate detection.  At this
point, most SO Rules are open source.  The source for this particular
rule is in bad-traffic_dns-spoof-mismatched-txid.c and as it happens
that file has several paragraphs at the beginning explaining what it
does at length.

In short, the rule (pair of rules, technically) looks for a DNS reply
where the TXID is different than the query(ies) we have on record.
This is why you see the alert on the reply, not the query.  All of
this is explained more fully in the comment at the top of the source
as well as a known potential for FPs.  But that being said, the rules
have a pretty good tolerance for FPs.

Your email says nothing about how many alerts you've been getting or
if this is a new thing.  If you are getting a lot of alerts, are you
sure you're not under attack?  Did you recently change your internal
dns server to not cache?  Are your users just suddenly all going to
NYTimes.com at the same time due to recent developments around the
world?


Thanks,

~Patrick

On Wed, Sep 4, 2013 at 6:46 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
> We started seeing this today from some of our DC's when doing lookups
> to various nytimes.com sites  The MS Bulletin references issues with
> Exchange and SMTP and the CVE references the DNS lookup in the
> smtpsvc.dll in regards to dns caching poisoning.
>
> We are only seeing these for responses from the NYT DNS servers, which
> is also odd, not the original request going outboung which makes me
> wonder how/what in  the response would trigger this?
>
> And finally.. if the servers are patched with MS10-024, then the could
> something else be causing the FP?
>
> Being a SO rule, I don't have much to go on.
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT




More information about the Snort-users mailing list