Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] DNS Spoof probably has false positive

from [chatiman] Network Security [Permanent Link]
Subject: [Snort-sigs] DNS Spoof probably has false positive
Date: Mon, 15 Nov 2004 10:48:31 +0100 

Rule:  DNS SPOOF query response with TTL of 1 min. and no authority
--
Sid:   1:254
--
False Positives: dnsmasq uses low ttl for /etc/hosts records :

==== extracted from man dnsmasq ====
-T, --local-ttl=<time>
When replying with information from /etc/hosts or the DHCP leases file dnsmasq by default sets the time-to-live field to zero, meaning that the
requestor should not itself cache the information. This is the correct thing to do in almost all situations. This option allows a time-to-live (in
seconds) to be given for these replies. This will reduce the load on the server at the expense of clients using stale data under some circum-
stances.

=====================================


-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] DNS Spoof probably has false positive, chatiman <=
Previous by Date:  Re: [Snort-sigs] Multiple content requirements in single rule, force order requirement, Jason
Next by Date:  [Snort-sigs] (no subject), Doug McLean
Previous by Thread:  [Snort-sigs] what triggers spp_stream4: TTL Evasion attempt, Russell Fulton
Next by Thread:  [Snort-sigs] (no subject), Doug McLean
Indexes:  [Date] [Thread] [Top] [All Lists]