SecuraBit before it Bytes

I came across these guys a month or so back when I was looking at topics for one of our shows, and I don’t remember whether I touched on them or not, but this project is definitely worth a second look.  Their community seems small right now, but the idea behind what they’re doing seems like common sense to me, and I’m not aware of anyone else out there collecting packet captures from anyone who wants to upload one.

Obviously, be careful what you download, but if we can get some traffic their way and get people to upload both malicious and normal traffic captures to them, I think it will end up being an extremely useful resource for anyone who uses packet data for their job, such as writing snort signatures!

Their site is https://www.openpacket.org.  Remember that this isn’t for uploading 10 gigs of traffic you captured off of your neighbor’s wifi, and don’t submit your own traffic that includes your paypal and online banking sessions either. :)  Make sure you have permission if you’re going to be submitting a capture with information someone other than you generated.

As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity.  Props to alexkirk from the #snort channel for hooking us up!

Implement at your own risk! Simply cut and paste as it looks pretty nasty below:

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”DNS large number of NXDOMAIN replies - possible DNS cache poisoning”; byte_test:1,&,3,3; classtype:misc-attack; reference:cve,2008-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-020.mspx; reference:cve,2008-1447;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-037.mspx; threshold: type threshold, track by_src, count 1000, seconds 30;)

Hope this helps!