Network Security: Detailed info on Re: [Snort-sigs] new rule for detect windows NAT DNS DoS

Subject:	Re: [Snort-sigs] new rule for detect windows NAT DNS DoS
Date:	Tue, 31 Oct 2006 08:01:26 -0800

My data shows this also valid over tcp.
This rule is too generic, I tested it with a large amount of DNS traffic 
and legitimate requests cause false positives very frequently, namely:

The header field "Questions" has a value of 00 01
And the data following contains multiple null bytes.

Is there a better way to anchor this detection?

-Blake


rmkml wrote:

Hi,

please check and maybe add this new rule :

dns.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Windows 
NAT DoS attempt"; content:"|01 00|"; offset:2; content:"|00 00|"; 
offset:10; reference:cve,2006-5614; classtype:bad-unknown; rev:1;)

"Overview: Microsoft Windows NAT Helper components (ipnathlp.dll) on 
windows XP SP2, when internet connection sharing is enabled, allows remote 
attackers to cause DoS (svchost.exe crash) via malformed DNS query, which 
results in a null pointer dereference."

Any suggestions and improvements are welcome,

This rule is offered by Crusoe Researches (Team)
http://www.crusoe-researches.com

Regards
Rmkml

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



-- 
This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged.  If you receive this email in error, please advise us by return 
email immediately. Please also disregard the contents of the email, delete it 
and destroy any copies immediately.  Demarc Security, Inc. does not accept 
liability for the views expressed in the email or for the consequences of any 
computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or transmitted without the written consent of the copyright owner.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] new rule for detect windows NAT DNS DoS, rmkml Re: [Snort-sigs] new rule for detect windows NAT DNS DoS, Blake Hartstein <= Re: [Snort-sigs] new rule for detect windows NAT DNS DoS, M. Shirk Re: [Snort-sigs] new rule for detect windows NAT DNS DoS, Frank Knobbe Re: [Snort-sigs] new rule for detect windows NAT DNS DoS, Frank Knobbe Re: [Snort-sigs] new rule for detect windows NAT DNS DoS, Brian

Previous by Date:	[Snort-sigs] new rule for detect windows NAT DNS DoS, rmkml
Next by Date:	Re: [Snort-sigs] new rule for detect windows NAT DNS DoS, M. Shirk
Previous by Thread:	[Snort-sigs] new rule for detect windows NAT DNS DoS, rmkml
Next by Thread:	Re: [Snort-sigs] new rule for detect windows NAT DNS DoS, M. Shirk
Indexes:	[Date] [Thread] [Top] [All Lists]