Re: sidestep

[Martin Roesch <roesch () sourcefire com>]

Snort 1.8.7 is hideously out of date (not to mention the huge buffer
overflow vulnerability in the rpc decoder), Snort 2.0 is the current state
of the art.  

http://www.snort.org/dl/snort-2.0.0.tar.gz

That DNS evasion you refer to was just a rule issue that was fixed in the
spring of 2001, the "new" rule should fire just fine.


     -Marty


On 5/6/03 2:45 AM, "Jill Tovey" <jill.tovey () bigbluedoor com> wrote:

> I am using Snort 1.8.7 which has the rev:1 SID 1616.
>
> I might try upgrading this later for interest, however my project has
> been handed in now and so there is not much I can do about it anyway :-)
>
>
> On Mon, 2003-05-05 at 14:38, Judy Novak wrote:
> > Jill,
> >
> >     I don't know what version of Snort you are running or what Snort rule set
> > you are using.   If you use version 2.0 with the default rule set
> > (specifically includes file dns.rules with SID 1616), it should trigger.
> >
> >     I ran sidestep DNS evade traffic using a Snort a default configuration
> > file which includes the following rule in the dns.rules file:
> >
> > alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt";
> > content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase;
> > offset:12; reference:nessus,10028; reference:arachnids,278;
> > classtype:attempted-recon; sid:1616; rev:4;)
> >
> > And received this alert:
> >
> > 05/05-04:08:21.989255  [**] [1:1616:4] DNS named version attempt [**]
> > [Classification: Attempted Information Leak] [Priority: 2] {UDP}
> > 10.2.3.28:1045 -> 10.2.3.20:53
> >
> > Judy Novak
> >
> > On Saturday 03 May 2003 05:52, Jill Tovey wrote:
> > > Hi all,
> > >
> > > For those of you that were interested, Snort did not detect the DNS
> > > version query from Sidestep.
> > >
> > > Kind Regards,
> > >
> > > Jill Tovey
> > >
> > >
> > >
> > > ---------------------------------------------------------------------------
> > > ---- Can you respond to attacks based on attack type, severity, source IP,
> > > destination IP, number of times attacked, or the time of day an attack
> > > occurs? No?
> > > No wonder why you're swamped with false positives!
> > > Download a free 15-day trial of Border Guard and watch your false
> > > positives disappear.
> > >
> > > http://www.securityfocus.com/StillSecure-focus-ids2
> > > ---------------------------------------------------------------------------
> > > ----
------------------------------------------------------------------------------>
-
> Can you respond to attacks based on attack type, severity, source IP,
> destination IP, number of times attacked, or the time of day an attack
> occurs? No? 
> No wonder why you're swamped with false positives!
> Download a free 15-day trial of Border Guard and watch your false
> positives disappear.
>
> http://www.securityfocus.com/StillSecure-focus-ids2
------------------------------------------------------------------------------>
-
>

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No? 
No wonder why you're swamped with false positives! 
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------