Snort mailing list archives
Re: Detecting cross reference at DNS decompression by a snort rule
From: rmkml <rmkml () yahoo fr>
Date: Fri, 27 May 2011 12:18:35 +0200 (CEST)
Hi anvari85, Yes, it's a dns compression loop DoS... dns query "start" with compressed bytes (\xc0\x0e) at \xc0\x0c, at \xc0\x0e contains compressed bytes (\xc0\x0c): loop! a dns query never start with compressed bytes... (comments are welcome) Note, snort v2905 alert on zlip-2.pcap: 04/11-19:48:09.550140 [**] [116:98:1] (snort_decoder) WARNING: Long UDP packet, length field < payload length [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 10.0.0.1:0 -> 146.84.28.88:0 Regards Rmkml On Fri, 27 May 2011, سعید انواری wrote:
Hello.I want to write a snort rule to detect DNS exploit as a result of endless cross referencing in DNS compression message. especially, I mean zlip-2.pcap packet ( zlip-2.pcap ). can somebody help me? Thanks.
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting cross reference at DNS decompression by a snort rule سعید انواری (May 27)
- Re: Detecting cross reference at DNS decompression by a snort rule rmkml (May 27)