File: 100000161.txt

package info (click to toggle)
snort 2.9.2.2-3
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 53,752 kB
  • sloc: ansic: 214,625; sh: 13,872; makefile: 2,574; yacc: 505; perl: 496; lex: 260; sql: 213; sed: 14
file content (59 lines) | stat: -rw-r--r-- 1,133 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Rule: 

--
Sid: 
100000161

-- 
Summary: 
This event is generated when an abnormally larger number of unresolvable DNS 
queries are generated by a particular host.

--
Impact:
This can be an indication of a denial of service attack in progress.

--
Detailed Information:
Since SIP systems can be overwhelmed by being forced to deal with an overly 
large number of invalid hostnames, this rule is designed to detect such attacks 
by searching for large volumes of DNS responses which contain the message "No 
such name".

--
Affected Systems:
Any which implement the SIP protocol.

--
Attack Scenarios:
An attacker could use a script to flood a system with requests from invalid 
hosts, causing a denial of service.

--
Ease of Attack:
Simple, as it is trivial to write a script to generate requests with invalid 
hostnames.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Use a firewall or other access-restriction device to block unwanted messages at 
your network's border.

--
Contributors:
Jiri Markl <jiri.markl@nextsoft.cz>
Sourcefire Research Team

--
Additional References
Other:

--