[Snort-sigs] new rule for detect windows NAT DNS DoS
rmkml at ...324...
Tue Oct 31 04:13:44 EST 2006
please check and maybe add this new rule :
dns.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Windows
NAT DoS attempt"; content:"|01 00|"; offset:2; content:"|00 00|";
offset:10; reference:cve,2006-5614; classtype:bad-unknown; rev:1;)
"Overview: Microsoft Windows NAT Helper components (ipnathlp.dll) on
windows XP SP2, when internet connection sharing is enabled, allows remote
attackers to cause DoS (svchost.exe crash) via malformed DNS query, which
results in a null pointer dereference."
Any suggestions and improvements are welcome,
This rule is offered by Crusoe Researches (Team)
More information about the Snort-sigs