Cisco Cisco Firepower Management Center 4000
25-16
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Detecting Exploits in DNS Name Server Responses
When the resource record type is TXT (text), the RData field is a variable-length ASCII text field.
When selected, the DNS preprocessor
Detect Overflow attempts on RData Text fields
option detects a specific
vulnerability identified by entry CVE-2006-3441 in MITRE’s Current Vulnerabilities and Exposures
database. This is a known vulnerability in Microsoft Windows 2000 Service Pack 4, Windows XP
Service Pack 1 and Service Pack 2, and Windows Server 2003 Service Pack 1. An attacker can exploit
this vulnerability and take complete control of a host by sending or otherwise causing the host to receive
a maliciously crafted name server response that causes a miscalculation in the length of an RData text
field, resulting in a buffer overflow.
database. This is a known vulnerability in Microsoft Windows 2000 Service Pack 4, Windows XP
Service Pack 1 and Service Pack 2, and Windows Server 2003 Service Pack 1. An attacker can exploit
this vulnerability and take complete control of a host by sending or otherwise causing the host to receive
a maliciously crafted name server response that causes a miscalculation in the length of an RData text
field, resulting in a buffer overflow.
You should enable this feature when your network might include hosts running operating systems that
have not been upgraded to correct this vulnerability.
have not been upgraded to correct this vulnerability.
You can enable rule 131:3 to generate events for this option. See
for
more information.
Detecting Obsolete DNS Resource Record Types
License:
Protection
RFC 1035 identifies several resource record types as obsolete. Because these are obsolete record types,
some systems do not account for them and may be open to exploits. You would not expect to encounter
these record types in normal DNS responses unless you have purposely configured your network to
include them.
some systems do not account for them and may be open to exploits. You would not expect to encounter
these record types in normal DNS responses unless you have purposely configured your network to
include them.
You can configure the system to detect known obsolete resource record types. The following table lists
and describes these record types.
and describes these record types.
You can enable rule 131:1 to generate events for this option. See
for
more information.
Detecting Experimental DNS Resource Record Types
License:
Protection
RFC 1035 identifies several resource record types as experimental. Because these are experimental
record types, some systems do not account for them and may be open to exploits. You would not expect
to encounter these record types in normal DNS responses unless you have purposely configured your
network to include them.
record types, some systems do not account for them and may be open to exploits. You would not expect
to encounter these record types in normal DNS responses unless you have purposely configured your
network to include them.
You can configure the system to detect known experimental resource record types. The following table
lists and describes these record types.
lists and describes these record types.
Table 25-3
Obsolete DNS Resource Record Types
RR Type
Code
Description
3
MD
a mail destination
4
MF
a mail forwarder