On Tue, Oct 31, 2006 at 02:41:21PM -0800, Jon Hart wrote:
The signature below *should* alert on attempts to do Dynamic DNS
updates (not in the dyndns.org/etc sense). It does this by looking for
an opcode of 5 (update), followed by 1 or more zones to update, followed
by 0 or more pre-reqs, followed by 1 or more updates, followed by
0 or more additional RRs, followed by some amount of data that should
contain the actual updates.
I'm not too good with byte_test, but in my testing this seems to work as
desired. The isdataat value was picked out of the air -- suggestions
are welcome.
I plan on using this sig on our internal and external DNS -- DNS updates
internally have bit us in the past, so hopefully this sig helps someone
else too.
Comments, complaints, etc, are welcome.
alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; isdataat:20,relative; sid:11111111; rev:1;)
You made a repeatitive error, which causes this rule to not work as
you expect.
byte_test does not move the relative pointer. You are checking the
same 2 bytes 4 times.
BTW, there are faster ways to do "1 or more", eg "not 0"
content:!"|00 00|";
Brian
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
