Snort mailing list archives
Re: Detecting last bind vulnerability?
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 17 Nov 2011 15:44:57 -0700
Hi, Im write a rule for, maybe, for detecting a last bind vulnerability:
(warn: NOT TESTED!)
alert udp any 53 -> any any (msg:"DNS reply NXRRset access";
byte_test:1,&,128,2;
byte_test:1,&,8,3; byte_test:1,!&,1,3; byte_test:1,!&,2,3;
byte_test:1,!&,4,3;
reference:cve,2011-4313; reference:bugtraq,50690;
reference:osvdb,77159;
classtype:bad-unknown; sid:9542371; rev:1;) Of course, check IPs and ports, and create another tcp dns rule... (maybe if you have stream5 track_udp yes, add flow:to_client) It's not a full coverage last bind vulnerability, but Im curious if
anyone have FP?
(I have update for more checking vulnerability if you have FP) Regards Rmkml http://twitter.com/rmkml
Let you know what I find...nice rule. James ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Detecting last bind vulnerability? rmkml (Nov 17)
- Re: Detecting last bind vulnerability? Lay, James (Nov 17)