[Snort-sigs] rule documentation for DNS named iquery attempt

Josh.Sakofsky at ...1573... Josh.Sakofsky at ...1573...
Fri Jun 6 12:05:12 EDT 2003

Rule: DNS named iquery attempt

Sid: 252

Summary: A remote user sent an inverse query to the DNS server. This could 
indicate a future attack.

Impact: Minimal. This is just an attempt to see if the DNS server responds 
to such a query.

Detailed Information: Certain versions of BIND fail to propery bound data 
recieved when handling an inverse query. 
Upon being copied to memory, portions of the program can be overwritten 
and arbitrary commands can be run on the affected host.

Affected Systems: BIND pre 8.1.2 / 4.9.8

Attack Scenarios: An attacker can remotely launch this attack.

Ease of Attack: Simple. Exploit code is easily found.

False Positives: None Known

False Negatives: None Known

Corrective Action: Upgrade BIND.

Contributors: Original rule writer unknown.
              Josh Sakofsky
Additional References: http://www.rfc-editor.org/rfc/rfc1035.txt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030606/fc518d8a/attachment.html>

More information about the Snort-sigs mailing list