Snort mailing list archives
Re: BIND signature triggered.
From: "Scott A. McIntyre" <scott () xs4all nl>
Date: Mon, 30 Apr 2001 09:36:26 +0200
Also sprach Martin Roesch (roesch () sourcefire com):
Can we see the full rule?
Sure, it's pretty simple: alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg: "BIND - Potential TSIG attempt"; content:"|06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35|"; ) I have seen that content in packets that *were* apart of TSIG exploits, and this often catches those, but this packet below is a new one. Regards, Scott
"Scott A. McIntyre" wrote:Hi, I've got a BIND intrusion signature that I've been using for a while but over the last two weeks I've been getting what appears to be a false alerts. The packet that triggers my alert is: 04/29/01-22:04:59.402601 xxx.xx.xx.xxx:1057 -> xxx.xxx.xxx.xxx:53 UDP TTL:126 TOS:0x0 ID:2 IpLen:20 DgmLen:540 Len: 520 50 40 41 48 45 42 43 3A 7F 6C 68 68 6D 60 51 3D P@AHEBC:.lhhm`Q= 3E 23 27 3D 72 67 73 72 12 56 4D 55 59 4F 23 53 >#'=rgsr.VMUYO#S 49 52 43 03 77 4A 50 42 22 66 78 6C 6D 63 67 75 IRC.wJPB"fxlmcgu 71 65 7B 7C 7A 08 5A 58 54 58 49 54 50 52 34 3F qe{|z.ZXTXITPR4? 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F @ABCDEFGHIJKLMNO 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F PQRSTUVWXYZ[\]^_ 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F `abcdefghijklmno 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F pqrstuvwxyz{|}~. 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ................ 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F ................ A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF ................ B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF ................ C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF ................ D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF ................ E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF ................ F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF ................ 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ................ 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 0123456789:;<=>? 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F @ABCDEFGHIJKLMNO 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F PQRSTUVWXYZ[\]^_ 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F `abcdefghijklmno 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F pqrstuvwxyz{|}~. 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ................ 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F ................ A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF ................ B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF ................ C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF ................ D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF ................ E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF ................ F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF ................ This seems a pretty peculiar packet in its own right, so I'm wondering if others have seen it before. This is triggered due to an observation of the following content in a number of other (valid) BIND related intrusions: content:"|06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35|" Ideas? Thanks, Scott _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch roesch () md prestige net http://www.snort.org
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BIND signature triggered. Scott A. McIntyre (Apr 29)
- Re: BIND signature triggered. Martin Roesch (Apr 29)
- Re: BIND signature triggered. Scott A. McIntyre (Apr 30)
- Re: BIND signature triggered. Martin Roesch (Apr 29)