Snort mailing list archives
DNS suxx0rz (was: Re: Signature for this?)
From: Dragos Ruiu <dr () kyx net>
Date: Sun, 8 Sep 2002 12:02:46 +0000
On September 8, 2002 04:32 pm, Frank Knobbe wrote:
On Sat, 2002-09-07 at 23:37, Michael Scheidell wrote:is anyone aware of a snort sig for this one? http://www.theregister.co.uk/content/55/26967.htmlsounds more complicated than a snort sig.Yeah, I was afraid you guys would say that... Wasn't there someone working on a DNS pre-processor? Maybe that would catch it (overly long DNS responses, etc.)
Well you might think that snort may not help.... but it could.
It should be considered a GOOD THING(tm) to flag large
DNS packets, port 53 {tcp, udp} as suspicious. Rules for
this might be nice thing to add to your standard rule-sets
(whadyathink cazz?).
Certainly any DNS packet that has a size of bigger than 1K
should be considered extremely suspect. This kind of a rule
_will_ catch some DNS overflow attacks. If you have a higher
tolerance for weeding out falses you may want to lower
this limit to the 400-600 byte range as those kinds of monster-
grams should be rare. (Old DNS resolver codes peg MAXPACKET
at 1K and there are a whole bunch of 512byte limits in some
codes.) Below this range you are into the territory of garden
variety DNS queries and the length checking won't do much
good, and if there is a way of of exploiting our infinitely
crappy resolver codes (and they _all_ suck, and I _have_
been looking at them), with smaller ordinary packets like
say a (hypothetical :-) byte alignment problem in the expanded
form of the hostname, then this kind of length checking
might not do much. But odds are high (:-P) that even this kind
of a hypothetical exploit might need to send some big packets
to exploit the flaw so adding this kind of rule sure seems
like a good idea.
cheers,
--dr
P.S. Did I ever say how much DNS sucks?
Libc resolver is ugly, and bind sucks even more.
P.P.S. I have been working on porting Cerebus 1.3 to
more architectures, and some new ones are up at
http://dragos.com/cerebus ... Solaris-Sparc64 and
Linux-IA64 were recently added. Fortunately the
64bit arches added only a couple of ifdefs. But
why does Solaris have to use uint32_t instead of
u_int32_t? Sigh....
--
dr () kyx net pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Signature for this? Frank Knobbe (Sep 07)
- Re: Signature for this? Michael Scheidell (Sep 07)
- Re: Signature for this? Frank Knobbe (Sep 08)
- Re: Signature for this? Erek Adams (Sep 08)
- DNS suxx0rz (was: Re: Signature for this?) Dragos Ruiu (Sep 08)
- Re: Signature for this? Frank Knobbe (Sep 08)
- Re: Signature for this? John Sage (Sep 07)
- <Possible follow-ups>
- Re: Signature for this? scott campbell (Sep 15)
- Re: Signature for this? Michael Scheidell (Sep 07)