IDS mailing list archives
Re: sidestep
From: Judy Novak <judy.novak () sourcefire com>
Date: Mon, 5 May 2003 09:38:29 -0400
Jill,
I don't know what version of Snort you are running or what Snort rule set
you are using. If you use version 2.0 with the default rule set
(specifically includes file dns.rules with SID 1616), it should trigger.
I ran sidestep DNS evade traffic using a Snort a default configuration
file which includes the following rule in the dns.rules file:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt";
content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase;
offset:12; reference:nessus,10028; reference:arachnids,278;
classtype:attempted-recon; sid:1616; rev:4;)
And received this alert:
05/05-04:08:21.989255 [**] [1:1616:4] DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2] {UDP}
10.2.3.28:1045 -> 10.2.3.20:53
Judy Novak
On Saturday 03 May 2003 05:52, Jill Tovey wrote:
Hi all, For those of you that were interested, Snort did not detect the DNS version query from Sidestep. Kind Regards, Jill Tovey --------------------------------------------------------------------------- ---- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 --------------------------------------------------------------------------- ----
------------------------------------------------------------------------------- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: sidestep Jill Tovey (May 04)
- Re: sidestep Brian (May 06)
- <Possible follow-ups>
- Re: sidestep Randy Taylor (May 04)
- Re: sidestep Jill Tovey (May 04)
- Re: sidestep Randy Taylor (May 06)
- Re: sidestep Jill Tovey (May 04)
- RE: sidestep Golomb, Gary (May 04)
- RE: sidestep Jill Tovey (May 04)
- Re: sidestep Judy Novak (May 06)
- Re: sidestep Jill Tovey (May 06)
- Re: sidestep Martin Roesch (May 06)
- RE: sidestep Jill Tovey (May 04)