Re: CVE-2015-7547 (GlibC bug) rules

[Lionel PRAT <lionel.prat9 () gmail com>]

Hi,

Thanks for your rules.
I writed an another rule than work too. It's possible to optimise rule...


alert udp any 53 -> any any (msg:"LP UDP-DNS REPLY OVERFLOW
CVE-2015-7547"; content:"|83 80 00 01|"; content:"|00 01 00 01|";
distance:10; 
pcre:"/\x00\x01\x00\x01(.{2000,})/s";reference:url,googleonlinesecurity.blogspot.fr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html;
classtype:attempted-admin; sid:%YOUR CHOICE%; rev:1;)
alert tcp any 53 -> any any (msg:"LP TCP-DNS REPLY OVERFLOW
CVE-2015-7547"; content:"|83 80 00 01|"; content:"|00 1c 00 01|";
distance:10; pcre:"/\x00\x1c\x00\x01(.{2000,})/s";
reference:url,googleonlinesecurity.blogspot.fr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html;
classtype:attempted-admin; sid:%YOUR CHOICE%; rev:1;)

Regards,

Lionel

2016-02-17 9:13 GMT+01:00 Dheeraj Gupta <dheeraj.gupta4 () gmail com>:
> Hi,
>
> I was looking at the newly revealed CVE-2015-7547 (GlibC name resolution
> bug) and based on PoC avaliable at https://github.com/fjserna/CVE-2015-7547
> have crafted a rudimentary signature.
> The signature looks for two large DNS responses and raises an alert for the
> second one.
> It is tied to TCP because-
> a, The length field is only available with TCP packets
> b. Most DNS implementations will truncate large UDP DNS responses (and I
> don't know how tp count the length of UDP packet using a snort signature)
>
> alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"LOCAL Large DNS TCP
> response"; flow:to_client,established; byte_test: 1,&,128,4;
> byte_test:2,>,2000,0; flowbits: set,large_dns_resp; flowbits: noalert;
> sid:10000001; rev:1)
> alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"LOCAL Large second DNS
> response - possible CVE-2015-7547 attempt"; flow:to_client,established;
> byte_test: 1,&,128,4; byte_test:2,>,200,0; flowbits: isset,large_dns_resp;
> sid:10000002; rev:1)
>
> I have tested these agaisnt PoC and benign traffic and they seem to work.
> A possible false positive is zone transfer.
> Thoughts on how to refine them further or any alternative approaches to
> writing signatures for the said bug?
>
> Regards,
> Dheeraj
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!