snort-sigs May 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] [Snort-users] Detecting cross refer

Re: [Snort-sigs] [Snort-users] Detecting cross reference at DNS decompression by a snort rule (fwd)

From: rmkml <rmkml_at_nospam>
Date: Fri May 27 2011 - 16:08:06 GMT


---------- Forwarded message ----------
Date: Fri, 27 May 2011 12:18:35 +0200 (CEST)
From: rmkml <>
Subject: Re: [Snort-users] Detecting cross reference at DNS decompression by a
     snort rule

Hi anvari85,
Yes, it's a dns compression loop DoS...
dns query "start" with compressed bytes (\xc0\x0e) at \xc0\x0c, at \xc0\x0e contains compressed bytes (\xc0\x0c): loop!
a dns query never start with compressed bytes... (comments are welcome)

Note, snort v2905 alert on zlip-2.pcap:
   04/11-19:48:09.550140 [**] [116:98:1] (snort_decoder) WARNING: Long UDP packet, length field < payload length [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} ->

On Fri, 27 May 2011, سعید انواری wrote:

> Hello.I want to write a snort rule to detect DNS exploit as a result of endless cross referencing in DNS compression message. especially, I mean zlip-2.pcap packet ( zlip-2.pcap ).
> can somebody help me? 
> Thanks.  

vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.

Snort-sigs mailing list