Snort mailing list archives
Detecting last bind vulnerability?
From: rmkml <rmkml () yahoo fr>
Date: Fri, 18 Nov 2011 00:32:38 +0100 (CET)
Hi, Im write a rule for, maybe, for detecting a last bind vulnerability: (warn: NOT TESTED!) alert udp any 53 -> any any (msg:"DNS reply NXRRset access"; byte_test:1,&,128,2; byte_test:1,&,8,3; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; reference:cve,2011-4313; reference:bugtraq,50690; reference:osvdb,77159; classtype:bad-unknown; sid:9542371; rev:1;) Of course, check IPs and ports, and create another tcp dns rule... (maybe if you have stream5 track_udp yes, add flow:to_client) It's not a full coverage last bind vulnerability, but Im curious if anyone have FP? (I have update for more checking vulnerability if you have FP) Regards Rmkml http://twitter.com/rmkml ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Detecting last bind vulnerability? rmkml (Nov 17)
- Re: Detecting last bind vulnerability? Lay, James (Nov 17)