File: 253.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (53 lines) | stat: -rw-r--r-- 1,832 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Rule:

--
Sid:
253

--
Summary:
This event is generated when a specific DNS response. In this case, there are no DNS authority records for the queried pointer record and has a DNS time-to-live value of one minute. 

--
Impact:
Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).

--
Detailed Information:
This is presumably from an attacker engaged in a race condition to respond to a legitimate DNS query.  An attacker may sniff a DNS query requesting an address record and attempt to respond before an actual DNS server can.  The spoofed response is atypical because it does not include the authoritative DNS servers in the returned record.  A legitimate DNS response will likely return the names of the authoritative DNS servers.  The response associated with this traffic has a DNS time-to-live value of one minute.  It is suspected that the TTL is set to expire quickly to eliminate any evidence of the spoofed response.

--
Affected Systems:
Any DNS server not using DNSSEC.

--
Attack Scenarios:
An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.

--
Ease of Attack:
Moderate. The attacker has to be able to sniff DNS queries and generate spoofed responses before the actual DNS server.

--
False Positives:
None Known.

--
False Negatives:
This rule uses very specific DNS flag values that could be modified.  Also, if the DNS TTL value is changed from 1, this rule will not trigger.

--
Corrective Action:
Consider using DNSSEC where appropriate.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:


--