File: 264.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (58 lines) | stat: -rw-r--r-- 1,315 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Rule:

--
Sid:
264

--
Summary:
This event is generated when spurious DNS traffic is detected on the network. 

--
Impact:
Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).

--
Detailed Information:
This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken.

This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway.

--
Affected Systems:
Any DNS server.

--
Attack Scenarios:
An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.

--
Ease of Attack:
Simple to Difficult depending on the DNS implementation.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Consider using DNSSEC where appropriate.

Keep all DNS software up to date and correctly configured.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:


--