Re: sidestep

From: Judy Novak (judy.novak_at_sourcefire.com)
Date: 05/05/03

  • Next message: Paul Schmehl: "Re: Fw: Promiscuous vs Inline IDS" 
    To: Jill Tovey <jill.tovey@bigbluedoor.com>, focus-ids@securityfocus.com
Date: Mon, 5 May 2003 09:38:29 -0400

    Jill,

        I don't know what version of Snort you are running or what Snort rule set
    you are using. If you use version 2.0 with the default rule set
    (specifically includes file dns.rules with SID 1616), it should trigger.

        I ran sidestep DNS evade traffic using a Snort a default configuration
    file which includes the following rule in the dns.rules file:

    alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt";
    content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase;
    offset:12; reference:nessus,10028; reference:arachnids,278;
    classtype:attempted-recon; sid:1616; rev:4;)

    And received this alert:

    05/05-04:08:21.989255 [**] [1:1616:4] DNS named version attempt [**]
    [Classification: Attempted Information Leak] [Priority: 2] {UDP}
    10.2.3.28:1045 -> 10.2.3.20:53

    Judy Novak

    On Saturday 03 May 2003 05:52, Jill Tovey wrote:
    > Hi all,
    >
    > For those of you that were interested, Snort did not detect the DNS
    > version query from Sidestep.
    >
    > Kind Regards,
    >
    > Jill Tovey
    >
    >
    >
    > ---------------------------------------------------------------------------
    >---- Can you respond to attacks based on attack type, severity, source IP,
    > destination IP, number of times attacked, or the time of day an attack
    > occurs? No?
    > No wonder why you're swamped with false positives!
    > Download a free 15-day trial of Border Guard and watch your false
    > positives disappear.
    >
    > http://www.securityfocus.com/StillSecure-focus-ids2
    > ---------------------------------------------------------------------------
    >----

    -------------------------------------------------------------------------------
    Can you respond to attacks based on attack type, severity, source IP,
    destination IP, number of times attacked, or the time of day an attack
    occurs? No?
    No wonder why you're swamped with false positives!
    Download a free 15-day trial of Border Guard and watch your false
    positives disappear.

    http://www.securityfocus.com/StillSecure-focus-ids2
    -------------------------------------------------------------------------------

  • Next message: Paul Schmehl: "Re: Fw: Promiscuous vs Inline IDS"

    Relevant Pages

    • Re: Truth about False Positives
      ... Subject: Truth about False Positives ... >>> Security Administrator, AsiaPac ... >>> false alarms. ... >>> attack was real or not. ...
      (Focus-IDS)
    • RE: On the definition of false positive - was: Re: location of an IPS
      ... You define false positive as an alert on something that was not actually an ... My issue is with the use of the word "attack". ... IDS are used to alert on network ... attack - you could test for false positives with false negatives ...
      (Focus-IDS)
    • RE: Truth about False Positives
      ... > International Security Group ... > Subject: Truth about False Positives ... > defining false positives & false alarms, and what steps we are taking to ... > algorithms into having the most comprehensive set of IDS attack algorithms. ...
      (Focus-IDS)
    • RE: False Positives
      ... > when no actual exploited attack has ... > when attackers attempt to overload an IDS' alert processing ... > Subject: False Positives ... > IntruShield now offers unprecedented Intrusion IntelligenceTM ...
      (Focus-IDS)
    • RE: Best Method(s) for signature verifcation.
      ... if the IDS is trying to be "smart" it may not listen on ports ... listening in order to get the IDS to see an attack. ... > Subject: Re: Best Methodfor signature verifcation. ... > false positives ...
      (Focus-IDS)
    • Quantcast