Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1665 Views 6 Replies Latest reply: Jan 25, 2012 3:54 AM by radiomoskau RSS
radiomoskau Newcomer 11 posts since
Dec 23, 2011
Currently Being Moderated

Dec 23, 2011 5:46 AM

Custom Attack Signature for DNS query & response

G'day!

 

At the moment I'm trying to build a custom signature to match dns queries from and dns requests to a certain network (10.204.5.0/24) on a Sub-Interface dedicated for that network.

Did any of you ever built such signature and could help me with some tips?

Or does anyone have a snort rule which I could use for that?

I tried to find a applicable snort rule but didn't find one that wasn't build for certain domains. As I'm a beginner in writing a signature I'm not confident enough to modify such a snort rule.

 

edit: I've just tried to build a signature but when I wanted to save it the editor demands me to select a protection category. Trouble is - there are no categories to choose from in the drop down box?!?!

 

Thanks alot and wish you a merry christmas!!

 

Greetz

Roman

 

p.s.:

I'm running NSM v7 and M-3050 sensors

 

Nachricht geändert durch radiomoskau on 23.12.11 05:46:18 CST
  • dmease729 Champion 267 posts since
    Jul 22, 2011

    Hi Roman,

     

    For a basic snort signature such as that, I started with 

    alert udp any any -> 192.168.1.0/24 53 (msg:"Incoming DNS request!";sid:9000000;priority:1;),

    however I dont seem to submit this as I receive "No supported snort options found to generate signature".  The Custom Attack Guide (v6.1, the version I am running) states: "msg rule option and a unique SID are mandatory for a Snort Custom Attack".  When adding a test content: section in, the rule is applied successfully, and it looks to be the case that the content: section is required, going against your requirements.  Saying that, however, is there anything content-wise in the DNS traffic you are looking for?  If it is just generic traffic, would you not be better off filtering the traffic that is not allowed (or if it is allowed, then your sensor may get swamped, dealing with numerous DNS requests?).  Is there any specific business driver behind this, or are you just running some tests for learning purposes?

     

    cheers,

     

    Darren

  • dmease729 Champion 267 posts since
    Jul 22, 2011
    Currently Being Moderated
    3. Jan 23, 2012 10:16 AM (in response to radiomoskau)
    Re: Custom Attack Signature for DNS query & response

    Hi Roman,

     

    If there is a requirement to log certain user activities it is likely that you will need to think about another way of monitoring.  One idea of the top of my head is the potential use of a hub or SPAN port whereby the traffic could be mirrored to another host (could be a cheap laptop), with Wireshark running on it.  If the Wireless Access Point is connected directly to a firewall or Layer 3 device, you could insert a cheap hub between them (or segregate off a VLAN on a switch you have).  Essentially, as the DNS sig you are trying to configure is generic, there is a manual element of work either way, after the packets have been captured.

    The IPS isnt really designed for this purpose in all honesty.

     

    With regard to the narrow capture filter and the 'send log after 10M' - what settings are you referring to?  Given the nature of DNS, I doubt you would get up to 10M in one flow, which is what would be captured each time the alert triggered - even with zone transfer activity or larger DNS responses, 10M would be rare. 

     

    Let me know if I have misunderstood what you are trying to achieve :-)

     

    cheers,

     

    Darren

  • dmease729 Champion 267 posts since
    Jul 22, 2011

    Ah!  In that case the packet capture status should show the number of captured packets increasing - if this stops, then it looks like the capture has stopped (or you could just leave it running and see if more files appear on the manager!).  I havent got access to an M-series myself at present, so I cant play around with this - let me know how you get on though!

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points