|
Written by Matt Jonkman
|
|
Wednesday, 23 July 2008 |
|
You've surely heard about the DNS Cache Poisoning Flaws disclosed today. Metasploit has a working module to exploit this, here come the kiddies!! I didn't think we were going to be able to do this in regular syntax, but the collaboration of many very sharp people brought out a better solution. Rather than tracking QIDs and ports over many requests looking for brute forcing we believe by looking for excessive amounts of dns response packets with:
1. More than one answer included
2. AND more than one additional record The reason being is that this vulnerability gets the attacker an advantage ONLY when they are able to get a response in to the resolver before the real response, and that response includes an ADDITIONAL record. That additional record wil be automatically trusted by the resolver and added to the cache. So the attacker would make the client do many lookups for bogus555.google.com, and try to beat google with a response, but it's additional record would be for www.google.com. That resolver will assume the additional record is correct since the QID matches it's request, and add the incorrect information to it's local cache thus serving up a bad lookup for as long as the TTL is on the bogus record. More than 100 from the same source in 10 seconds is a huge deal. I can't imagine a legitimate situation where that could happen, and an attacker is going to have to send many more responses than that for a long time to get a good match. The short time period should keep the tracking load on Snort under control. So here's what has been forged to date:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/
This is live in the ruleset now. Please test and report and issues ASAP!!!
With metasploit having a module out that works to exploit this we're going to see a LOT of these attacks, as in it's already started!
Matt
|
|
Last Updated ( Thursday, 24 July 2008 )
|
|
|
Written by Matt Jonkman
|
|
Tuesday, 22 July 2008 |
|
By now everyone's heard about the dns issues Dan Kaminsky discovered and have been deduced/leaked. (http://www.doxpara.com/ and others) Several people have asked privately if we've got signatures coming for the issue.
Unfortunately, as I understand the issues there's not much we can do with snort. We'd need to track qid's between packets in different streams, which is something snort can't do. And if it could it's be MASSIVE load no matter how it were implemented.
What I've done personally is setup blocking sigs something like:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"JONKMAN Excessive DNS Traffic"; threshold: type both, track by_src, count 30, seconds 30;
sid:xxx; rev:1;)
This catches the IPs that are already hitting me pushing www.microsoft.com to try to poison. My dns are all patched already, but I prefer to block idiots. And my dns are only serving domains, not acting as primary resolvers for anyone, so 30 requests in 30 seconds is way out of line.
Problem with this sig is you have to decide what an acceptable threshold is for you. But if you shouldn't have inbound dns requests at all a firewall rule would be most appropriate.
So, just my thoughts here. If anyone has an idea as to a better more universal Snort sig, please let us know. In the meantime, I'd recommend something like the above just to catch someone essentially brute forcing your dns cache.
Matt
|
|
|
Written by Matt Jonkman
|
|
Saturday, 19 July 2008 |
|
2008402 - ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin (emerging-malware.rules)
2008403 - ET MALWARE Realtimegaming.com/Windows Casino Online Gaming Checkin (emerging-malware.rules)
2008405 - ET TROJAN Obitel trojan calling home (emerging-virus.rules)
2008406 - ET POLICY RemoteSpy.com Upload Detect (emerging-policy.rules)
2008407 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) (emerging.rules)
2008408 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) (emerging.rules)
2008409 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) (emerging.rules)
2008411 - ET TROJAN LDPinch SMTP Password Report with mail client The Bat! (emerging-virus.rules)
2008412 - ET TROJAN Trojan-Dropper.Win32.Small.avu HTTP Checkin (emerging-virus.rules)
2008413 - ET MALWARE Suspicious User-Agent (PcPcUpdater) (emerging-malware.rules)
2008414 - ET SCAN Cisco Torch TFTP Scan (emerging-scan.rules)
2008415 - ET SCAN Cisco Torch IOS HTTP Scan (emerging-scan.rules)
2008416 - ET SCAN Httprint Web Server Fingerprint Scan (emerging-scan.rules)
2008417 - ET SCAN Wapiti Web Server Scan (emerging-scan.rules)
2008418 - ET POLICY Metasploit Framework Update (emerging-policy.rules)
2008419 - ET MALWARE Advert-network.com Related Spyware Updating (emerging-malware.rules)
2008420 - ET TROJAN HTTP GET Request on port 53 -- Very Likely Hostile (emerging-virus.rules)
2008421 - ET TROJAN HTTP POST Request on port 53 -- Very Likely Hostile (emerging-virus.rules)
2008422 - ET MALWARE Suspicious User-Agent (Inet_read) (emerging-malware.rules)
2008423 - ET MALWARE Suspicious User-Agent (CFS Agent) (emerging-malware.rules)
2008424 - ET MALWARE Suspicious User-Agent (CFS_DOWNLOAD) (emerging-malware.rules)
2008425 - ET MALWARE Advert-network.com Related Spyware Checking for Updates (emerging-malware.rules)
2008426 - ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow (emerging-exploit.rules)
2008427 - ET MALWARE Suspicious User-Agent (AdiseExplorer) (emerging-malware.rules)
2008428 - ET MALWARE Suspicious User-Agent (HTTP Downloader) (emerging-malware.rules)
2008429 - ET MALWARE Suspicious User-Agent (HttpDownload) (emerging-malware.rules)
2008430 - ET TROJAN Win32.Dialer.buv Sending Information Home (emerging-virus.rules)
2008431 - ET TROJAN PWS.Gamania Checkin (emerging-virus.rules)
2008433 - ET TROJAN Pandex checkin detected (emerging-virus.rules)
2008434 - ET TROJAN Coreflood/AFcore Trojan Infection (emerging-virus.rules)
2008435 - ET TROJAN Win32.Testlink Trojan Speed Test Start port 8888 (emerging-virus.rules)
2008436 - ET TROJAN Win32.Testlink Trojan Speed Test port 8888 (emerging-virus.rules)
2008437 - ET TROJAN Win32.Testlink Trojan Checkin port 8888 (emerging-virus.rules)
2008438 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (emerging-malware.rules)
2008439 - ET WEB_SQL_INJECTION AlstraSoft Affiliate Network Pro (pgm) Parameter SQL Injection (emerging-web_sql_injection.rules)
2008440 - ET MALWARE Suspicious User-Agent (Download App) (emerging-malware.rules)
2008441 - ET TROJAN Win32 Dialer Variant (emerging-virus.rules)
2008442 - ET TROJAN Rootkit.Win32.Clbd.cz Checkin (emerging-virus.rules)
2008443 - ET TROJAN Coreflood/AFcore Trojan Infection (2) (emerging-virus.rules)
2008444 - ET EXPLOIT PWDump4 Password dumping exe copied to victim (emerging-exploit.rules)
2008445 - ET EXPLOIT Pwdump6 Session Established test file created on victim (emerging-exploit.rules)
2008446 - ET EXPLOIT Fgdump Session Established test file created created on victim (emerging-exploit.rules)
2008447 - ET EXPLOIT Foofus.net Password dumping, dll injection (emerging-exploit.rules)
2008449 - ET TROJAN Keylogger.ane Checkin (emerging-virus.rules)
[///] Modified active rules: [///]
2002400 - ET MALWARE Suspicious User Agent (Microsoft Internet Explorer) (emerging-malware.rules)
2003243 - ET MALWARE Suspicious User Agent (Download Agent) Possibly Related to TrinityAcquisitions.com (emerging-malware.rules)
2003497 - ET MALWARE Suspicious User-Agent (ms) (emerging-malware.rules)
2007594 - ET TROJAN Banker.Delf User-Agent (Mz/MzApp) (emerging-virus.rules)
2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report (emerging-virus.rules)
2008100 - ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download (emerging-virus.rules)
2008260 - ET TROJAN Pointpack.kr Related Trojan Checkin (emerging-virus.rules)
2008374 - ET MALWARE Suspicious User-Agent (InetURL) (emerging-malware.rules)
2008378 - ET MALWARE Suspicious User-Agent (ErrCode) (emerging-malware.rules)
2008391 - ET MALWARE Suspicious User-Agent (svchost) (emerging-malware.rules) 2008400 - ET MALWARE Suspicious User-Agent (ReadFileURL) (emerging-malware.rules) |
|
Last Updated ( Saturday, 19 July 2008 )
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 1 - 4 of 68 |
