Snort mailing list archives
Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667
From: yew chuan Ong <yewchuan_23 () yahoo com>
Date: Sat, 10 Nov 2012 03:44:15 -0800 (PST)
Thanks Waldo Kitty! So usually what you guys do when you get this sig triggered? ________________________________ From: waldo kitty <wkitty42 () windstream net> To: snort-sigs () lists sourceforge net Sent: Friday, November 9, 2012 10:31 PM Subject: Re: [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667 On 11/8/2012 23:31, yew chuan Ong wrote:
Hi All, I found this rule under so_rules.
yeah, i wish they'd use other category filenames for GID 3 rules instead of using the same ones GID 1 uses... perhaps they should prefix those category filenames and MSG texts with SO_ to make it more obvious? there are times that GID:3 just gets lost in sight...
I also found a thread discussing GID:3... http://seclists.org/snort/2010/q1/190 Since we have no idea how the sig works (in term of detection method), how can we analyze it?
simply put, you cannot... you need the source code and that is not available to the general public, AFAIK...
Appreciate if anyone can response. Thanks! Regards Yew Chuan -------------------------------------------------------------------------------- *From:* yew chuan Ong *To:* "snort-sigs () lists sourceforge net" *Sent:* Thursday, November 8, 2012 3:33 PM *Subject:* [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667 Hi, I found the description of this sig here - http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/so_rules/bad-traffic.rules. But, when I downloaded the rules from Snort, I found nothing related inside bad-traffic.rules. Any ideas? This sig is still enabled by default right? Thanks!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- BAD-TRAFFIC dns cache poisoning attempt sid:13667 yew chuan Ong (Nov 07)
- Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667 yew chuan Ong (Nov 08)
- Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667 waldo kitty (Nov 09)
- Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667 yew chuan Ong (Nov 10)
- Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667 waldo kitty (Nov 10)
- Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667 waldo kitty (Nov 09)
- Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667 yew chuan Ong (Nov 08)