Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667

[yew chuan Ong <yewchuan_23 () yahoo com>]

Hi All,

I found this rule under so_rules.

I also found a thread discussing GID:3... http://seclists.org/snort/2010/q1/190
Since we have no idea how the sig works (in term of detection method), how can we analyze it?

Appreciate if anyone can response. Thanks!


Regards
Yew Chuan

________________________________
 From: yew chuan Ong <yewchuan_23 () yahoo com>
To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> 
Sent: Thursday, November 8, 2012 3:33 PM
Subject: [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667
 

Hi,

I found the description of this sig here - http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/so_rules/bad-traffic.rules.

But, when I downloaded the rules from Snort, I found nothing related inside bad-traffic.rules. Any ideas? 

This sig is still enabled by default right?

Thanks!



Regards
Yew Chuan
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!