Snort mailing list archives
Re: CVE-2015-7547 (GlibC bug) rules
From: Lionel PRAT <lionel.prat9 () gmail com>
Date: Fri, 19 Feb 2016 15:19:32 +0100
Hi, Thanks for your rules. I writed an another rule than work too. It's possible to optimise rule... alert udp any 53 -> any any (msg:"LP UDP-DNS REPLY OVERFLOW CVE-2015-7547"; content:"|83 80 00 01|"; content:"|00 01 00 01|"; distance:10; pcre:"/\x00\x01\x00\x01(.{2000,})/s";reference:url,googleonlinesecurity.blogspot.fr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-admin; sid:%YOUR CHOICE%; rev:1;) alert tcp any 53 -> any any (msg:"LP TCP-DNS REPLY OVERFLOW CVE-2015-7547"; content:"|83 80 00 01|"; content:"|00 1c 00 01|"; distance:10; pcre:"/\x00\x1c\x00\x01(.{2000,})/s"; reference:url,googleonlinesecurity.blogspot.fr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-admin; sid:%YOUR CHOICE%; rev:1;) Regards, Lionel 2016-02-17 9:13 GMT+01:00 Dheeraj Gupta <dheeraj.gupta4 () gmail com>:
Hi, I was looking at the newly revealed CVE-2015-7547 (GlibC name resolution bug) and based on PoC avaliable at https://github.com/fjserna/CVE-2015-7547 have crafted a rudimentary signature. The signature looks for two large DNS responses and raises an alert for the second one. It is tied to TCP because- a, The length field is only available with TCP packets b. Most DNS implementations will truncate large UDP DNS responses (and I don't know how tp count the length of UDP packet using a snort signature) alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"LOCAL Large DNS TCP response"; flow:to_client,established; byte_test: 1,&,128,4; byte_test:2,>,2000,0; flowbits: set,large_dns_resp; flowbits: noalert; sid:10000001; rev:1) alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"LOCAL Large second DNS response - possible CVE-2015-7547 attempt"; flow:to_client,established; byte_test: 1,&,128,4; byte_test:2,>,200,0; flowbits: isset,large_dns_resp; sid:10000002; rev:1) I have tested these agaisnt PoC and benign traffic and they seem to work. A possible false positive is zone transfer. Thoughts on how to refine them further or any alternative approaches to writing signatures for the said bug? Regards, Dheeraj ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- CVE-2015-7547 (GlibC bug) rules Dheeraj Gupta (Feb 17)
- Re: CVE-2015-7547 (GlibC bug) rules Geoffrey Serrao (Feb 17)
- Re: CVE-2015-7547 (GlibC bug) rules Lionel PRAT (Feb 19)