Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting last bind vulnerability?

From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 17 Nov 2011 15:44:57 -0700
Hi,
Im write a rule for, maybe, for detecting a last bind vulnerability:

(warn: NOT TESTED!)


  alert udp any 53 -> any any (msg:"DNS reply NXRRset access";

byte_test:1,&,128,2;

byte_test:1,&,8,3; byte_test:1,!&,1,3; byte_test:1,!&,2,3;

byte_test:1,!&,4,3;

reference:cve,2011-4313; reference:bugtraq,50690;

reference:osvdb,77159;

classtype:bad-unknown; sid:9542371; rev:1;)

Of course, check IPs and ports, and create another tcp dns rule...
(maybe if you have stream5 track_udp yes, add flow:to_client)

It's not a full coverage last bind vulnerability, but Im curious if

anyone have FP?

(I have update for more checking vulnerability if you have FP)

Regards
Rmkml
http://twitter.com/rmkml



Let you know what I find...nice rule.

James

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: