Re: sidestep

Snort 1.8.7 is hideously out of date (not to mention the huge buffer overflow vulnerability in the rpc decoder), Snort 2.0 is the current state of the art.

http://www.snort.org/dl/snort-2.0.0.tar.gz

That DNS evasion you refer to was just a rule issue that was fixed in the spring of 2001, the "new" rule should fire just fine.

     -Marty

On 5/6/03 2:45 AM, "Jill Tovey" <jill.tovey@bigbluedoor.com> wrote:

> I am using Snort 1.8.7 which has the rev:1 SID 1616.

>> Jill,
>> 
>>     I don't know what version of Snort you are running or what Snort rule set
>> you are using.   If you use version 2.0 with the default rule set
>> (specifically includes file dns.rules with SID 1616), it should trigger.
>> 
>>     I ran sidestep DNS evade traffic using a Snort a default configuration
>> file which includes the following rule in the dns.rules file:
>> 
>> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt";
>> content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase;
>> offset:12; reference:nessus,10028; reference:arachnids,278;
>> classtype:attempted-recon; sid:1616; rev:4;)
>> 
>> And received this alert:
>> 
>> 05/05-04:08:21.989255  [**] [1:1616:4] DNS named version attempt [**]
>> [Classification: Attempted Information Leak] [Priority: 2] {UDP}
>> 10.2.3.28:1045 -> 10.2.3.20:53
>> 
>> Judy Novak
>> 
>> On Saturday 03 May 2003 05:52, Jill Tovey wrote:
>>> Hi all,
>>> 
>>> For those of you that were interested, Snort did not detect the DNS
>>> version query from Sidestep.
>>> 
>>> Kind Regards,
>>> 
>>> Jill Tovey
>>> 
>>> 
>>> 
>>> ---------------------------------------------------------------------------
>>> ---- Can you respond to attacks based on attack type, severity, source IP,
>>> destination IP, number of times attacked, or the time of day an attack
>>> occurs? No?
>>> No wonder why you're swamped with false positives!
>>> Download a free 15-day trial of Border Guard and watch your false
>>> positives disappear.
>>> 
>>> 
http://www.securityfocus.com/StillSecure-focus-ids2
>>> ---------------------------------------------------------------------------
>>> ----
>> 
>> 
>> 

------------------------------------------------------------------------------>

------------------------------------------------------------------------------>
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch(at)sourcefire.com - 
http://www.sourcefire.com
Snort: Open Source Network IDS - 
http://www.snort.org



-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No? 
No wonder why you're swamped with false positives! 
Download a free 15-day trial of Border Guard and watch your false
positives disappear.
http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------