Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Dynamic DNS update attempt (new sig)

from [Jon Hart] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Dynamic DNS update attempt (new sig)
Date: Wed, 1 Nov 2006 09:48:04 -0800 
On Wed, Nov 01, 2006 at 04:31:36AM -0500, Brian wrote:

On Tue, Oct 31, 2006 at 02:41:21PM -0800, Jon Hart wrote:

The signature below *should* alert on attempts to do Dynamic DNS
updates (not in the dyndns.org/etc sense).  It does this by looking for
an opcode of 5 (update), followed by 1 or more zones to update, followed
by 0 or more pre-reqs, followed by 1 or more updates, followed by
0 or more additional RRs, followed by some amount of data that should
contain the actual updates.

I'm not too good with byte_test, but in my testing this seems to work as
desired.  The isdataat value was picked out of the air -- suggestions
are welcome.

I plan on using this sig on our internal and external DNS -- DNS updates
internally have bit us in the past, so hopefully this sig helps someone
else too.

Comments, complaints, etc, are welcome.

alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
attempt"; byte_test:2,&,10240,2; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; byte_test:2,>,0,0,relative;
byte_test:2,^,1,0,relative; isdataat:20,relative;  sid:11111111; rev:1;)


You made a repeatitive error, which causes this rule to not work as
you expect.

byte_test does not move the relative pointer.  You are checking the
same 2 bytes 4 times. 


Good to know.  The docs say relative is "Use an offset relative to last
pattern match" -- a bit misleading, but the first example in the docs
seems to back up what you say.


BTW, there are faster ways to do "1 or more", eg "not 0"

    content:!"|00 00|";


Is content negation faster than byte_test in general, or just in this
specific case?

Thanks,

-jon

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] new rule for detect windows NAT DNS DoS, M. Shirk
Next by Date:  Re: [Snort-sigs] Dynamic DNS update attempt (new sig), Jon Hart
Previous by Thread:  Re: [Snort-sigs] Dynamic DNS update attempt (new sig), Brian
Next by Thread:  Re: [Snort-sigs] Dynamic DNS update attempt (new sig), Brian
Indexes:  [Date] [Thread] [Top] [All Lists]