[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Dynamic DNS update attempt (new sig)
From:       Jon Hart <jhart () spoofed ! org>
Date:       2006-10-31 22:41:21
Message-ID: 20061031224121.GD23128 () spoofed ! org
[Download RAW message or body]

The signature below *should* alert on attempts to do Dynamic DNS
updates (not in the dyndns.org/etc sense).  It does this by looking for
an opcode of 5 (update), followed by 1 or more zones to update, followed
by 0 or more pre-reqs, followed by 1 or more updates, followed by
0 or more additional RRs, followed by some amount of data that should
contain the actual updates.

I'm not too good with byte_test, but in my testing this seems to work as
desired.  The isdataat value was picked out of the air -- suggestions
are welcome.

I plan on using this sig on our internal and external DNS -- DNS updates
internally have bit us in the past, so hopefully this sig helps someone
else too.

Comments, complaints, etc, are welcome.

alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; isdataat:20,relative;  sid:11111111; rev:1;)

-jon


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]