[Snort-sigs] SID 256
warchild at ...288...
Mon Feb 18 08:03:06 EST 2002
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors
attempt"; content:"|07|authors"; offset:12; content:"|04|bind";
nocase; offset: 12; reference:arachnids,480;
classtype:attempted-recon; sid:256; rev:1;)
An attempt was made to query authors.bind chaos record on your DNS server.
Allows a remote attacker to possibly determine the version of bind
you are running.
Bind 9.x allows you get the authors.bind chaos record. The ability to
retrieve this file indicates that the machine is running at least a
9.x variant of the bind nameserver.
As part of a reconnaissance mission, an attacker may attempt to gleen
important information about your infrastructure by determining your
bind version. If authors.bind is retrievable, this indicates that you
are running Bind 9.x. If not, it means nothing. This, in addition to
possibly retrieving version.bind, allows attackers to craft attacks
specially suited for your environment.
Ease of Attack:
warchild at ...351...
[~]$ dig +short @testhost.com txt chaos authors.bind
Remove the ability to retrieve the authors.bind chaos record by either
applying the patch from ISC or tweaking your configs accordingly.
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>
More information about the Snort-sigs