[Snort-sigs] SID 256

Warchild warchild at ...288...
Mon Feb 18 08:03:06 EST 2002

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors
attempt"; content:"|07|authors"; offset:12; content:"|04|bind";
nocase; offset: 12; reference:arachnids,480;
classtype:attempted-recon; sid:256; rev:1;) 

An attempt was made to query authors.bind chaos record on your DNS server.  
Allows a remote attacker to possibly determine the version of bind
you are running.

Detailed Information:
Bind 9.x allows you get the authors.bind chaos record.  The ability to
retrieve this file indicates that the machine is running at least a
9.x variant of the bind nameserver.

Attack Scenarios:
As part of a reconnaissance mission, an attacker may attempt to gleen
important information about your infrastructure by determining your
bind version.  If authors.bind is retrievable, this indicates that you
are running Bind 9.x.  If not, it means nothing.  This, in addition to
possibly retrieving version.bind, allows attackers to craft attacks
specially suited for your environment.

Ease of Attack:

warchild at ...351...
[~]$ dig +short @testhost.com txt chaos authors.bind

"Bob Halley"
"Mark Andrews"
"James Brister"
"Michael Graff"
"David Lawrence"
"Michael Sawyer"
"Brian Wellington"
"Andreas Gustafsson"

False Positives:

False Negatives:

Corrective Action:
Remove the ability to retrieve the authors.bind chaos record by either
applying the patch from ISC or tweaking your configs accordingly.

Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list