snort-sigs May 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] [Snort-users] Detecting cross refer

Re: [Snort-sigs] [Snort-users] Detecting cross reference at DNS decompression by a snort rule (fwd)

From: rmkml <rmkml_at_nospam>
Date: Fri May 27 2011 - 16:08:06 GMT
To: snort-sigs@lists.sourceforge.net

FYI

---------- Forwarded message ----------
Date: Fri, 27 May 2011 12:18:35 +0200 (CEST)
From: rmkml <rmkml@yahoo.fr>
To: anvari85@gmail.com
Cc: snort-users@lists.sourceforge.net, rmkml@yahoo.fr
Subject: Re: [Snort-users] Detecting cross reference at DNS decompression by a
     snort rule

Hi anvari85,
Yes, it's a dns compression loop DoS...
dns query "start" with compressed bytes (\xc0\x0e) at \xc0\x0c, at \xc0\x0e contains compressed bytes (\xc0\x0c): loop!
a dns query never start with compressed bytes... (comments are welcome)

Note, snort v2905 alert on zlip-2.pcap:
   04/11-19:48:09.550140 [**] [116:98:1] (snort_decoder) WARNING: Long UDP packet, length field < payload length [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 10.0.0.1:0 -> 146.84.28.88:0
Regards
Rmkml

On Fri, 27 May 2011, سعید انواری wrote:

> Hello.I want to write a snort rule to detect DNS exploit as a result of endless cross referencing in DNS compression message. especially, I mean zlip-2.pcap packet ( zlip-2.pcap ).
> can somebody help me? 
> Thanks.  
>
>

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org