Re: Advanced DNS rules

[Mark Andrews <marka () isc org>]

In message <CAKEvj1DYZiCJEg4EHMHO2qyGpZO1hmh47gK4PSeX5+Ef+s1jiw () mail gmail com>
, Curt Shaffer writes:
> It is more about just looking for large malformed DNS requests. I
> don't want to catch legitimate DNS requests that would be large such
> as DNSSEC or valid EDNS. Think of a DNS packet fill with 0x41's at
> 1000 bytes. Certainly not something I want. That is just an example
> more than exactly what I'm trying to do. Maybe it would make sense to
> make the dsize there a little larger. It would be great to have a rule
> that says over 768 bytes that is not DNSSEC or EDNS ultimately.

Then you need to properly parse the entire DNS response and make
sure it is internally consistent.  There is no magic size.  There
are 4096 byte EDNS UDP responses that don't involve DNSSEC.  There
could be 8K EDNS UDP responses in the future.  As far as I am aware
no one currently advertises a 8K buffer but it is permitted by the
protocol.

Even if the response is internally consistant it may not be to a
question that is asked.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!