[Snort-sigs] CVE-2015-7547 (GlibC bug) rules

Dheeraj Gupta dheeraj.gupta4 at ...2420...
Wed Feb 17 03:13:32 EST 2016


I was looking at the newly revealed CVE-2015-7547 (GlibC name resolution
bug) and based on PoC avaliable at https://github.com/fjserna/CVE-2015-7547
have crafted a rudimentary signature.
The signature looks for two large DNS responses and raises an alert for the
second one.
It is tied to TCP because-
a, The length field is only available with TCP packets
b. Most DNS implementations will truncate large UDP DNS responses (and I
don't know how tp count the length of UDP packet using a snort signature)

alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"LOCAL Large DNS TCP
response"; flow:to_client,established; byte_test: 1,&,128,4;
byte_test:2,>,2000,0; flowbits: set,large_dns_resp; flowbits: noalert;
sid:10000001; rev:1)
alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"LOCAL Large second DNS
response - possible CVE-2015-7547 attempt"; flow:to_client,established;
byte_test: 1,&,128,4; byte_test:2,>,200,0; flowbits: isset,large_dns_resp;
sid:10000002; rev:1)

I have tested these agaisnt PoC and benign traffic and they seem to work.
A possible false positive is zone transfer.
Thoughts on how to refine them further or any alternative approaches to
writing signatures for the said bug?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160217/116d400f/attachment.html>

More information about the Snort-sigs mailing list