Re: Detecting cross reference at DNS decompression by a snort rule

[rmkml <rmkml () yahoo fr>]

Hi anvari85,
Yes, it's a dns compression loop DoS...
dns query "start" with compressed bytes (\xc0\x0e) at \xc0\x0c, at \xc0\x0e contains compressed bytes (\xc0\x0c): loop!
a dns query never start with compressed bytes... (comments are welcome)

Note, snort v2905 alert on zlip-2.pcap:
 04/11-19:48:09.550140  [**] [116:98:1] (snort_decoder) WARNING: Long UDP packet, length field < payload length [**] 
[Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 10.0.0.1:0 -> 146.84.28.88:0
Regards
Rmkml


On Fri, 27 May 2011, سعید انواری wrote:

> Hello.I want to write a snort rule to detect DNS exploit as a result of endless cross referencing in DNS compression 
> message. especially, I mean zlip-2.pcap packet ( zlip-2.pcap ).
> can somebody help me? 
> Thanks.  
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users