DNS Snort Signatures; Acrobat Reader Vuln;TCP Port 1025 Traffic; Excellent DNS Article
Snort Signatures for TLD DNS packets
Much thanx to Cody Hatch for all the hard work in building and testing these. These signatures require Snort version 2.3 or later. Feedback on these would be greatly appreciated as well.
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"com DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|com|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"net DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|net|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"org DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|org|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"biz DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|biz|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"edu DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|edu|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"gov DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|gov|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"int DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|int|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"mil DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|mil|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"info DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|04|info|00|"; nocase; within:6; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"name DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|04|name|00|"; nocase; within:6; classtype:misc-attack; sid:1600; rev:3;)\
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"pro DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|pro|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)\
Again, many props to Cody Hatch for the work on this one.
New Adobe Acrobat Reader Vulnerability
NISCC has reported that Acrobat Reader contains a vulnerability which, when executed, could allow an attacker to discover local files. Yes, we know the advisory is a PDF, this isn't an April Fools joke.
Thanx Adrien for the update,
http://www.niscc.gov.uk/niscc/docs/re-20050401-00264.pdf
More Port 1025 activity
We are still seeing TCP 1025 traffic, with a new report submitted today from Michael Cloppert. His report showed a spike from external sources, in excess of 10,000 hosts.
If anybody has captures of TCP 1025 traffic it would greatly help in our analysis.
DNS and the future
Given the current activity with DNS Cache poisoning that we are dealing with, it was suggested by one of the Handlers that this might be some good reading. (It *is* good reading, highly recommend it)
http://www.nap.edu/execsumm_pdf/11258.pdf
Keywords:
0 comment(s)
×
Diary Archives
Comments