Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Crashlytics via Umbrella FP

From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 18 Feb 2017 08:45:43 -0700
Appears to fire off:

Feb 18 08:28:28 snort[10548]: [3:13667:18] PROTOCOL-DNS dns cache
poisoning attempt [Classification: Misc Attack] [Priority: 2] {UDP}
208.67.220.220:53 -> 192.168.1.100:56800

Started on the third of this month...figured it was high-time I
reported it.  From the unified file:

(Event)
        sensor id: 0    event id: 140   event second:
1487430548      event microsecond: 97921
        sig id: 13667   gen id: 3       revision: 18     clas
sification: 30
        priority: 2     ip source: 208.67.222.222       ip
destination: 192.168.1.100
        src port: 53    dest port: 52581        protocol: 17    
impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 140   event second:
1487430548
        packet second: 1487430548       packet microsecond: 97921
        linktype: 1     packet_length: 99
[    0] F0 DC E2 CD 5E 5E 00 22 41 33 12 B2 08 00 45
00  ....^^."A3....E.
[   16] 00 55 B0 FB 40 00 40 11 18 6E D0 43 DE DE C0
A8  .U..@.@..n.C....
[   32] 01 64 00 35 CD 65 00 41 71 81 10 B0 85 80 00
01  .d.5.e.Aq.......
[   48] 00 01 00 00 00 00 07 72 65 70 6F 72 74 73 0B
63  .......reports.c
[   64] 72 61 73 68 6C 79 74 69 63 73 03 63 6F 6D 00
00  rashlytics.com..
[   80] 01 00 01 C0 0C 00 01 00 01 00 00 00 00 00 04
00  ................
[   96] 00 00 00                                         ...

And the rule:

alert udp any 53 -> any any (msg:"PROTOCOL-DNS dns cache poisoning
attempt"; sid:13667; gid:3; rev:18; classtype:misc-attack;
reference:cve,2008-0087; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS08-020; reference:cve,2008-1447;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-037;
reference:cve,1999-0024; reference:url,www.kb.cert.org/vuls/id/800113;
reference:cve,2009-0233; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS09-008; reference:cve,2007-3898;
reference:cve,2009-0234; metadata: engine shared, soid 3|13667, service
dns, policy max-detect-ips drop;)

James
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: