Snort mailing list archives
Re: Advanced DNS rules
From: Curt Shaffer <cshaffer () gmail com>
Date: Sun, 19 Feb 2012 17:31:08 -0500
It is more about just looking for large malformed DNS requests. I don't want to catch legitimate DNS requests that would be large such as DNSSEC or valid EDNS. Think of a DNS packet fill with 0x41's at 1000 bytes. Certainly not something I want. That is just an example more than exactly what I'm trying to do. Maybe it would make sense to make the dsize there a little larger. It would be great to have a rule that says over 768 bytes that is not DNSSEC or EDNS ultimately. On Sun, Feb 19, 2012 at 4:02 PM, Mark Andrews <marka () isc org> wrote:
In message <CAKEvj1BZ8YE7cE4OLwsCgTBF83YC1j8YvN-u=9ZPSSnhvcpcCg () mail gmail com> , Curt Shaffer writes:I'm looking for some information on way to look for malformed DNS packets. Mainly looking for large UDP requests (dsize:>512) that are NOT DNSSEC related, and a rule looking for the reserved flag (Z), reference here: http://www.networksorcery.com/enp/protocol/dns.htm#Z, in the DNS Flags field. I'm having trouble finding decent documentation. I have the following: Detects large packets, but want this to alert only if we are not using DNSSEC :Why are you wanting to reject legitimate DNS traffic. DNSSEC depends on EDNS but EDNS exists independently of DNSSEC. There are lots of reasons why a EDNS UDP response would be bigger than 512 bytes and it not be DNSSEC related. Below is a example of a perfectly legitimate EDNS response > 512 bytes that does not involve DNSSEC. ; <<>> DiG 9.7.3-P3 <<>> foo.com @a.root-servers.net +edns=0 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45266 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;foo.com. IN A ;; AUTHORITY SECTION: com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 m.gtld-servers.net. 172800 IN A 192.55.83.30 ;; Query time: 200 msec ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) ;; WHEN: Mon Feb 20 07:59:19 2012 ;; MSG SIZE rcvd: 524alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:" Inbound Large DNS Packet Detected NOT DNSSEC"; dsize:> 512; classtype:dns; sid:xxxxx; rev:1; ) The following I thought would work for the reserved bit (Z), but I am getting alerts even when the bit is not set: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Reserved Bit Set"; content:!"|00|"; offset:25; classtype:dns; sid:9000246; rev:1;) Can anyone point me at some documentation for Snort on these topics or lend a hand to help see what I'm missing? Thanks Curt ----------------------------------------------------------------------------- - Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Geoffrey Sanders (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 20)
- Re: Advanced DNS rules Mark Andrews (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Mark Andrews (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Geoffrey Sanders (Feb 19)