Snort mailing list archives
Crashlytics via Umbrella FP
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 18 Feb 2017 08:45:43 -0700
Appears to fire off: Feb 18 08:28:28 snort[10548]: [3:13667:18] PROTOCOL-DNS dns cache poisoning attempt [Classification: Misc Attack] [Priority: 2] {UDP} 208.67.220.220:53 -> 192.168.1.100:56800 Started on the third of this month...figured it was high-time I reported it. From the unified file: (Event) sensor id: 0 event id: 140 event second: 1487430548 event microsecond: 97921 sig id: 13667 gen id: 3 revision: 18 clas sification: 30 priority: 2 ip source: 208.67.222.222 ip destination: 192.168.1.100 src port: 53 dest port: 52581 protocol: 17 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 140 event second: 1487430548 packet second: 1487430548 packet microsecond: 97921 linktype: 1 packet_length: 99 [ 0] F0 DC E2 CD 5E 5E 00 22 41 33 12 B2 08 00 45 00 ....^^."A3....E. [ 16] 00 55 B0 FB 40 00 40 11 18 6E D0 43 DE DE C0 A8 .U..@.@..n.C.... [ 32] 01 64 00 35 CD 65 00 41 71 81 10 B0 85 80 00 01 .d.5.e.Aq....... [ 48] 00 01 00 00 00 00 07 72 65 70 6F 72 74 73 0B 63 .......reports.c [ 64] 72 61 73 68 6C 79 74 69 63 73 03 63 6F 6D 00 00 rashlytics.com.. [ 80] 01 00 01 C0 0C 00 01 00 01 00 00 00 00 00 04 00 ................ [ 96] 00 00 00 ... And the rule: alert udp any 53 -> any any (msg:"PROTOCOL-DNS dns cache poisoning attempt"; sid:13667; gid:3; rev:18; classtype:misc-attack; reference:cve,2008-0087; reference:url,technet.microsoft.com/en- us/security/bulletin/MS08-020; reference:cve,2008-1447; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-037; reference:cve,1999-0024; reference:url,www.kb.cert.org/vuls/id/800113; reference:cve,2009-0233; reference:url,technet.microsoft.com/en- us/security/bulletin/MS09-008; reference:cve,2007-3898; reference:cve,2009-0234; metadata: engine shared, soid 3|13667, service dns, policy max-detect-ips drop;) James
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Crashlytics via Umbrella FP James Lay (Feb 18)