[Snort-sigs] Detecting last bind vulnerability?
rmkml at ...174...
Thu Nov 17 18:32:38 EST 2011
Im write a rule for, maybe, for detecting a last bind vulnerability: (warn: NOT TESTED!)
alert udp any 53 -> any any (msg:"DNS reply NXRRset access"; byte_test:1,&,128,2;
byte_test:1,&,8,3; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3;
reference:cve,2011-4313; reference:bugtraq,50690; reference:osvdb,77159;
classtype:bad-unknown; sid:9542371; rev:1;)
Of course, check IPs and ports, and create another tcp dns rule...
(maybe if you have stream5 track_udp yes, add flow:to_client)
It's not a full coverage last bind vulnerability, but Im curious if anyone have FP?
(I have update for more checking vulnerability if you have FP)
More information about the Snort-sigs