Snort mailing list archives
DNS suxx0rz (was: Re: Signature for this?)
From: Dragos Ruiu <dr () dursec com>
Date: Sun, 8 Sep 2002 12:05:02 +0000
On September 8, 2002 04:32 pm, Frank Knobbe wrote:
On Sat, 2002-09-07 at 23:37, Michael Scheidell wrote:is anyone aware of a snort sig for this one? http://www.theregister.co.uk/content/55/26967.htmlsounds more complicated than a snort sig.Yeah, I was afraid you guys would say that... Wasn't there someone working on a DNS pre-processor? Maybe that would catch it (overly long DNS responses, etc.)
Well you might think that snort may not help.... but it could. It should be considered a GOOD THING(tm) to flag large DNS packets, port 53 {tcp, udp} as suspicious. Rules for this might be nice thing to add to your standard rule-sets (whadyathink cazz?). Certainly any DNS packet that has a size of bigger than 1K should be considered extremely suspect. This kind of a rule _will_ catch some DNS overflow attacks. If you have a higher tolerance for weeding out falses you may want to lower this limit to the 400-600 byte range as those kinds of monster- grams should be rare. (Old DNS resolver codes peg MAXPACKET at 1K and there are a whole bunch of 512byte limits in some codes.) Below this range you are into the territory of garden variety DNS queries and the length checking won't do much good, and if there is a way of of exploiting our infinitely crappy resolver codes (and they _all_ suck, and I _have_ been looking at them), with smaller ordinary packets like say a (hypothetical :-) byte alignment problem in the expanded form of the hostname, then this kind of length checking might not do much. But odds are high (:-P) that even this kind of a hypothetical exploit might need to send some big packets to exploit the flaw so adding this kind of rule sure seems like a good idea. cheers, --dr P.S. Did I ever say how much DNS sucks? Libc resolver is ugly, and bind sucks even more. P.P.S. I have been working on porting Cerebus 1.3 to more architectures, and some new ones are up at http://dragos.com/cerebus ... Solaris-Sparc64 and Linux-IA64 were recently added. Fortunately the 64bit arches added only a couple of ifdefs. But why does Solaris have to use uint32_t instead of u_int32_t? Sigh.... -- dr () dursec com pgp: http://dragos.com/dr-dursec.asc Advance CanSecWest/03 registration available: http://cansecwest.com "The question of whether computers can think is like the question of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS suxx0rz (was: Re: Signature for this?) Dragos Ruiu (Sep 08)