Snort mailing list archives
Re: [Snort-users] Detecting cross reference at DNS decompression by a snort rule (fwd)
From: rmkml <rmkml () yahoo fr>
Date: Fri, 27 May 2011 18:08:06 +0200 (CEST)
FYI ---------- Forwarded message ---------- Date: Fri, 27 May 2011 12:18:35 +0200 (CEST) From: rmkml <rmkml () yahoo fr> To: anvari85 () gmail com Cc: snort-users () lists sourceforge net, rmkml () yahoo fr Subject: Re: [Snort-users] Detecting cross reference at DNS decompression by a snort rule Hi anvari85, Yes, it's a dns compression loop DoS... dns query "start" with compressed bytes (\xc0\x0e) at \xc0\x0c, at \xc0\x0e contains compressed bytes (\xc0\x0c): loop! a dns query never start with compressed bytes... (comments are welcome) Note, snort v2905 alert on zlip-2.pcap: 04/11-19:48:09.550140 [**] [116:98:1] (snort_decoder) WARNING: Long UDP packet, length field < payload length [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 10.0.0.1:0 -> 146.84.28.88:0 Regards Rmkml On Fri, 27 May 2011, سعید انواری wrote:
Hello.I want to write a snort rule to detect DNS exploit as a result of endless cross referencing in DNS compression message. especially, I mean zlip-2.pcap packet ( zlip-2.pcap ). can somebody help me? Thanks.
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Re: [Snort-users] Detecting cross reference at DNS decompression by a snort rule (fwd) rmkml (May 27)