Custom Signature to detect modifications to DNS

dblairii · ‎01-27-2004

I need to write a signature that will allow me to detect a specific modification to DNS servers. Specifically, I have a manually entered MX record that keeps 'mysteriously' disappearing. Let's suppose the the MX record is for mx.mymail.com....

How would I craft a signature to look for this information in packets destined to/from a given name server?

After I have the signature, I intend to log the subsequent traffic to decipher what is going on.

Thanks in advance!

mcerha · ‎01-27-2004

Hmm, I'd be really concerned if your MX records keep disappearing first of all. I'm guessing from your message that you'd like a signature to detect someone accessing an MX record for the host 'mx.mymail.com' or domain 'mymail.com', which would be more common. To do this you'll need to use a combination of STRING.UDP and event filters.

Engine STRING.UDP

Direction ToService

ServicePorts 53

RegexString \x06[Mm][Yy][Mm][Aa][Ii][Ll]\x03[Cc][Oo][Mm]\x00\x00\x0F\x00\x01

This should detect all MX queries for email destined to the 'mymail.com' domain. To limit this to specific nameservers, create some event filters for the signature with the nameservers as the destinations. For 4.x, be sure to enable the CapturePacket parameter also.

dblairii · ‎01-28-2004

If you don't mind..... could you elaborate on the Hex portions of this regex?

Thanks!

mcerha · ‎01-28-2004

The \x06 and \x03 bits are the length seperators in the domain name (where the periods go) terminated by a null (\x00). The \x00\x0F means it's an MX request. The last \x00\x01 means it is an 'inet' type request.