[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] Dynamic DNS update attempt (new sig)
From: Jon Hart <jhart () spoofed ! org>
Date: 2006-10-31 22:41:21
Message-ID: 20061031224121.GD23128 () spoofed ! org
[Download RAW message or body]
The signature below *should* alert on attempts to do Dynamic DNS
updates (not in the dyndns.org/etc sense). It does this by looking for
an opcode of 5 (update), followed by 1 or more zones to update, followed
by 0 or more pre-reqs, followed by 1 or more updates, followed by
0 or more additional RRs, followed by some amount of data that should
contain the actual updates.
I'm not too good with byte_test, but in my testing this seems to work as
desired. The isdataat value was picked out of the air -- suggestions
are welcome.
I plan on using this sig on our internal and external DNS -- DNS updates
internally have bit us in the past, so hopefully this sig helps someone
else too.
Comments, complaints, etc, are welcome.
alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; isdataat:20,relative; sid:11111111; rev:1;)
-jon
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic