Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Detecting last bind vulnerability?

From: rmkml <rmkml () yahoo fr>
Date: Fri, 18 Nov 2011 00:32:38 +0100 (CET)
Hi,
Im write a rule for, maybe, for detecting a last bind vulnerability: (warn: NOT TESTED!)

  alert udp any 53 -> any any (msg:"DNS reply NXRRset access"; byte_test:1,&,128,2;
byte_test:1,&,8,3; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3;
reference:cve,2011-4313; reference:bugtraq,50690; reference:osvdb,77159;
classtype:bad-unknown; sid:9542371; rev:1;)

Of course, check IPs and ports, and create another tcp dns rule...
(maybe if you have stream5 track_udp yes, add flow:to_client)

It's not a full coverage last bind vulnerability, but Im curious if anyone have FP?
(I have update for more checking vulnerability if you have FP)

Regards
Rmkml
http://twitter.com/rmkml

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: