[Snort-sigs] Offer rule for detect lastest Bind vulnerability

rmkml rmkml at ...174...
Wed Sep 12 17:58:47 EDT 2012


Hi,

Please find a rule for detecing lastest Bind vulnerability:

  alert udp $EXTERNAL_NET $DNS_PORTS -> $HOME_NET any (msg:"DNS reply Bind Type A Class In 65535 length UDP"; byte_test:1,&,128,2;
  content:!"|00 00|"; depth:2; offset:6; content:"|00 01 00 01 00|"; offset:12; content:"|FF FF|"; within:2; distance:3;
  reference:cve,2012-4244; classtype:attempted-admin; sid:1; rev:1;)

Of course adapt your variables...

Please post feedback/FP/FN...

Happy Detect
Rmkml

http://twitter.com/rmkml
https://kb.isc.org/article/AA-00778




More information about the Snort-sigs mailing list