Snort mailing list archives
Re: Signature for this?
From: John Sage <jsage () finchhaven com>
Date: Sat, 7 Sep 2002 23:00:40 -0700
On Sat, Sep 07, 2002 at 08:12:11PM -0500, Frank Knobbe wrote:
Guys, is anyone aware of a snort sig for this one? http://www.theregister.co.uk/content/55/26967.html
An authoritative source is found at: http://www.cert.org/advisories/CA-2002-19.html "CERT Advisory CA-2002-19 Buffer Overflows in Multiple DNS Resolver Libraries" The multiple conditions described may be beyond detection by a snort rule. 1) "Buffer overflow vulnerabilities exist in multiple implementations of DNS resolver libraries." So the attack itself is based on a buffer overflow. There is not necessarily any known exploit, or known shell code. 2) "Two sets of responses could trigger buffer overflows in vulnerable DNS resolver libraries: responses for host names or addresses, and responses for network names or addresses." So the vulnerable transaction is either a host response, or a network response. 3) "An attacker who is able to control DNS responses could exploit arbitrary code or cause a denial of service on vulnerable systems. The attacker would need to be able to spoof DNS responses or control a DNS server that provides responses to a vulnerable system." The attacker must either commandeer a legitimate DNS server, or spoof responses so that they appear to come from a legitimate DNS server. 4) "By issuing queries to and interpreting responses from DNS servers, IP-enabled network operating systems can access DNS information. When an IP network application needs to access or process DNS information, it calls functions in the stub resolver library, which may be part of the underlying network operating system." The issue affects not only local nameservers, but applications that call resolver functions (sendmail would be one example, methinks..) So this is a pretty complex situation. What to do? Patch, and recompile applications as needed... - John -- "In those days, you could not buy a $2000 200MHz Pentium server." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Signature for this? Frank Knobbe (Sep 07)
- Re: Signature for this? Michael Scheidell (Sep 07)
- Re: Signature for this? Frank Knobbe (Sep 08)
- Re: Signature for this? Erek Adams (Sep 08)
- DNS suxx0rz (was: Re: Signature for this?) Dragos Ruiu (Sep 08)
- Re: Signature for this? Frank Knobbe (Sep 08)
- Re: Signature for this? John Sage (Sep 07)
- <Possible follow-ups>
- Re: Signature for this? scott campbell (Sep 15)
- Re: Signature for this? Michael Scheidell (Sep 07)