[Snort-sigs] new rule for detect windows NAT DNS DoS

rmkml rmkml at ...324...
Tue Oct 31 04:13:44 EST 2006


Hi,

please check and maybe add this new rule :

dns.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS Windows 
NAT DoS attempt"; content:"|01 00|"; offset:2; content:"|00 00|"; 
offset:10; reference:cve,2006-5614; classtype:bad-unknown; rev:1;)

"Overview: Microsoft Windows NAT Helper components (ipnathlp.dll) on 
windows XP SP2, when internet connection sharing is enabled, allows remote 
attackers to cause DoS (svchost.exe crash) via malformed DNS query, which 
results in a null pointer dereference."

Any suggestions and improvements are welcome,

This rule is offered by Crusoe Researches (Team)
http://www.crusoe-researches.com

Regards
Rmkml




More information about the Snort-sigs mailing list