[Snort-sigs] rule documentation for DNS named iquery attempt

Josh.Sakofsky at ...1573... Josh.Sakofsky at ...1573...
Fri Jun 6 12:05:12 EDT 2003


Rule: DNS named iquery attempt

--
Sid: 252

--
Summary: A remote user sent an inverse query to the DNS server. This could 
indicate a future attack.

--
Impact: Minimal. This is just an attempt to see if the DNS server responds 
to such a query.

--
Detailed Information: Certain versions of BIND fail to propery bound data 
recieved when handling an inverse query. 
Upon being copied to memory, portions of the program can be overwritten 
and arbitrary commands can be run on the affected host.

--
Affected Systems: BIND pre 8.1.2 / 4.9.8

--
Attack Scenarios: An attacker can remotely launch this attack.

--
Ease of Attack: Simple. Exploit code is easily found.

--
False Positives: None Known

--
False Negatives: None Known

--
Corrective Action: Upgrade BIND.

--
Contributors: Original rule writer unknown.
              Josh Sakofsky
-- 
Additional References: http://www.rfc-editor.org/rfc/rfc1035.txt
                       http://www.securityfocus.com/bid/134
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0009
                       http://www.whitehats.com/info/IDS277 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030606/fc518d8a/attachment.html>


More information about the Snort-sigs mailing list