[Snort-sigs] CVE-2015-7547 (GlibC bug) rules
dheeraj.gupta4 at ...2420...
Wed Feb 17 03:13:32 EST 2016
I was looking at the newly revealed CVE-2015-7547 (GlibC name resolution
bug) and based on PoC avaliable at https://github.com/fjserna/CVE-2015-7547
have crafted a rudimentary signature.
The signature looks for two large DNS responses and raises an alert for the
It is tied to TCP because-
a, The length field is only available with TCP packets
b. Most DNS implementations will truncate large UDP DNS responses (and I
don't know how tp count the length of UDP packet using a snort signature)
alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"LOCAL Large DNS TCP
response"; flow:to_client,established; byte_test: 1,&,128,4;
byte_test:2,>,2000,0; flowbits: set,large_dns_resp; flowbits: noalert;
alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"LOCAL Large second DNS
response - possible CVE-2015-7547 attempt"; flow:to_client,established;
byte_test: 1,&,128,4; byte_test:2,>,200,0; flowbits: isset,large_dns_resp;
I have tested these agaisnt PoC and benign traffic and they seem to work.
A possible false positive is zone transfer.
Thoughts on how to refine them further or any alternative approaches to
writing signatures for the said bug?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs