Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Offer rule for detect lastest Bind vulnerability

From: rmkml <rmkml () yahoo fr>
Date: Wed, 12 Sep 2012 23:58:47 +0200 (CEST)
Hi,

Please find a rule for detecing lastest Bind vulnerability:

  alert udp $EXTERNAL_NET $DNS_PORTS -> $HOME_NET any (msg:"DNS reply Bind Type A Class In 65535 length UDP"; 
byte_test:1,&,128,2;
  content:!"|00 00|"; depth:2; offset:6; content:"|00 01 00 01 00|"; offset:12; content:"|FF FF|"; within:2; distance:3;
  reference:cve,2012-4244; classtype:attempted-admin; sid:1; rev:1;)

Of course adapt your variables...

Please post feedback/FP/FN...

Happy Detect
Rmkml

http://twitter.com/rmkml
https://kb.isc.org/article/AA-00778

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: