Snort mailing list archives
Re: Advanced DNS rules
From: Mark Andrews <marka () isc org>
Date: Mon, 20 Feb 2012 11:13:18 +1100
In message <CAKEvj1DYZiCJEg4EHMHO2qyGpZO1hmh47gK4PSeX5+Ef+s1jiw () mail gmail com> , Curt Shaffer writes:
It is more about just looking for large malformed DNS requests. I don't want to catch legitimate DNS requests that would be large such as DNSSEC or valid EDNS. Think of a DNS packet fill with 0x41's at 1000 bytes. Certainly not something I want. That is just an example more than exactly what I'm trying to do. Maybe it would make sense to make the dsize there a little larger. It would be great to have a rule that says over 768 bytes that is not DNSSEC or EDNS ultimately.
Then you need to properly parse the entire DNS response and make sure it is internally consistent. There is no magic size. There are 4096 byte EDNS UDP responses that don't involve DNSSEC. There could be 8K EDNS UDP responses in the future. As far as I am aware no one currently advertises a 8K buffer but it is permitted by the protocol. Even if the response is internally consistant it may not be to a question that is asked. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Geoffrey Sanders (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 20)
- Re: Advanced DNS rules Mark Andrews (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Mark Andrews (Feb 19)
- Re: Advanced DNS rules Curt Shaffer (Feb 19)
- Re: Advanced DNS rules Geoffrey Sanders (Feb 19)