[Snort-sigs] Detecting last bind vulnerability?

Lay, James james.lay at ...3513...
Thu Nov 17 17:44:57 EST 2011


> Hi,
> Im write a rule for, maybe, for detecting a last bind vulnerability:
(warn: NOT TESTED!)
> 
>   alert udp any 53 -> any any (msg:"DNS reply NXRRset access";
byte_test:1,&,128,2;
> byte_test:1,&,8,3; byte_test:1,!&,1,3; byte_test:1,!&,2,3;
byte_test:1,!&,4,3;
> reference:cve,2011-4313; reference:bugtraq,50690;
reference:osvdb,77159;
> classtype:bad-unknown; sid:9542371; rev:1;)
> 
> Of course, check IPs and ports, and create another tcp dns rule...
> (maybe if you have stream5 track_udp yes, add flow:to_client)
> 
> It's not a full coverage last bind vulnerability, but Im curious if
anyone have FP?
> (I have update for more checking vulnerability if you have FP)
> 
> Regards
> Rmkml
> http://twitter.com/rmkml


Let you know what I find...nice rule.

James




More information about the Snort-sigs mailing list