Snort mailing list archives
Re: Question about SO Rule 3:21355
From: Patrick Mullen <pmullen () sourcefire com>
Date: Thu, 5 Sep 2013 09:23:15 -0400
Jeremy, Thank you for your query. Before I begin, I would like to remind everyone that the purpose of Shared Object Rules is to provide the ability to write rules in C, not to obfuscate detection. At this point, most SO Rules are open source. The source for this particular rule is in bad-traffic_dns-spoof-mismatched-txid.c and as it happens that file has several paragraphs at the beginning explaining what it does at length. In short, the rule (pair of rules, technically) looks for a DNS reply where the TXID is different than the query(ies) we have on record. This is why you see the alert on the reply, not the query. All of this is explained more fully in the comment at the top of the source as well as a known potential for FPs. But that being said, the rules have a pretty good tolerance for FPs. Your email says nothing about how many alerts you've been getting or if this is a new thing. If you are getting a lot of alerts, are you sure you're not under attack? Did you recently change your internal dns server to not cache? Are your users just suddenly all going to NYTimes.com at the same time due to recent developments around the world? Thanks, ~Patrick On Wed, Sep 4, 2013 at 6:46 PM, Jeremy Hoel <jthoel () gmail com> wrote:
We started seeing this today from some of our DC's when doing lookups to various nytimes.com sites The MS Bulletin references issues with Exchange and SMTP and the CVE references the DNS lookup in the smtpsvc.dll in regards to dns caching poisoning. We are only seeing these for responses from the NYT DNS servers, which is also odd, not the original request going outboung which makes me wonder how/what in the response would trigger this? And finally.. if the servers are patched with MS10-024, then the could something else be causing the FP? Being a SO rule, I don't have much to go on. ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Patrick Mullen Response Research Manager Sourcefire VRT ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question about SO Rule 3:21355 Jeremy Hoel (Sep 04)
- Re: Question about SO Rule 3:21355 Patrick Mullen (Sep 05)
- Re: Question about SO Rule 3:21355 Jeremy Hoel (Sep 05)
- Re: Question about SO Rule 3:21355 Joel Esler (Sep 05)
- Re: Question about SO Rule 3:21355 Jeremy Hoel (Sep 13)
- Re: Question about SO Rule 3:21355 Jeremy Hoel (Sep 06)
- Re: Question about SO Rule 3:21355 Joel Esler (Sep 06)
- Re: Question about SO Rule 3:21355 Jeremy Hoel (Sep 05)
- Re: Question about SO Rule 3:21355 Patrick Mullen (Sep 05)