Snort mailing list archives
Re: PROTOCOL-DNS DNS query amplification attempt (1:28556)
From: Geoffrey Serrao <gserrao () sourcefire com>
Date: Mon, 4 May 2015 10:51:25 -0400
He may want to check the destination address' DNS conf to make sure that it's properly configured and not responding to requests from 0.0.0.0/0. More information about open DNS resolvers can be found here: http://www.openresolverproject.org/ On Mon, May 4, 2015 at 10:35 AM, Al Lewis (allewi) <allewi () cisco com> wrote:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy security-ips drop, ruleset community, service dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:2; ) Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Mustaque [mailto:mustaque.ahmad () nuemera com] *Sent:* Monday, May 04, 2015 1:58 AM *To:* snort-sigs () lists sourceforge net *Subject:* [Snort-sigs] PROTOCOL-DNS DNS query amplification attempt (1:28556) Hi, I cant see the packet information to investigate the integrity of this rule. And what this rule does? Need more info. Thanks and Regards Mustaque ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PROTOCOL-DNS DNS query amplification attempt (1:28556) Mustaque (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Al Lewis (allewi) (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Geoffrey Serrao (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) rmkml (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) rmkml (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Mustaque Ahmad (May 07)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Jamie Riden (May 07)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Mustaque (May 12)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) rmkml (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Al Lewis (allewi) (May 04)