Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BAD-TRAFFIC dns cache poisoning attempt sid:13667

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 10 Nov 2012 09:35:17 -0500
On 11/10/2012 06:44, yew chuan Ong wrote:

Thanks Waldo Kitty!

So usually what you guys do when you get this sig triggered?


in our case, we accept DNS updates only from specific systems... any others 
attempting to feed DNS data to us are blocked...

this is something you need to take a close look at and fully understand, 
though... the DNS system is required for proper operation on most networks... 
one can all too easily "knock everyone off" by blocking the wrong system(s)... 
one can also cause problems with performing whois, ipblock and nslookup 
functions if they block the wrong IPs... this is a delicate area, for sure...



--------------------------------------------------------------------------------
*From:* waldo kitty <wkitty42 () windstream net>
*To:* snort-sigs () lists sourceforge net
*Sent:* Friday, November 9, 2012 10:31 PM
*Subject:* Re: [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667

On 11/8/2012 23:31, yew chuan Ong wrote:
 > Hi All,
 >
 > I found this rule under so_rules.

yeah, i wish they'd use other category filenames for GID 3 rules instead of
using the same ones GID 1 uses... perhaps they should prefix those category
filenames and MSG texts with SO_ to make it more obvious? there are times that
GID:3 just gets lost in sight...

 > I also found a thread discussing GID:3... http://seclists.org/snort/2010/q1/190
 > Since we have no idea how the sig works (in term of detection method), how can
 > we analyze it?

simply put, you cannot... you need the source code and that is not available to
the general public, AFAIK...

 > Appreciate if anyone can response. Thanks!
 >
 >
 > Regards
 > Yew Chuan
 > --------------------------------------------------------------------------------
 > *From:* yew chuan Ong
 > *To:* "snort-sigs () lists sourceforge net
<mailto:snort-sigs () lists sourceforge net>"
 > *Sent:* Thursday, November 8, 2012 3:33 PM
 > *Subject:* [Snort-sigs] BAD-TRAFFIC dns cache poisoning attempt sid:13667
 >
 > Hi,
 >
 > I found the description of this sig here -
 > http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/so_rules/bad-traffic.rules.
 >
 > But, when I downloaded the rules from Snort, I found nothing related inside
 > bad-traffic.rules. Any ideas?
 >
 > This sig is still enabled by default right?
 >
 > Thanks!



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: