[Snort-users] BIND signature triggered.

Scott A. McIntyre scott at ...1050...
Mon Apr 30 03:36:26 EDT 2001


Also sprach Martin Roesch (roesch at ...1935...):

> Can we see the full rule?
> 

Sure, it's pretty simple:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg: "BIND - Potential TSIG
attempt";  content:"|06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16
17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E
2F 30 31 32 33 34 35|"; )

I have seen that content in packets that *were* apart of TSIG exploits,
and this often catches those, but this packet below is a new one.

Regards,

Scott


> 
> "Scott A. McIntyre" wrote:
> > 
> > Hi,
> > 
> > I've got a BIND intrusion signature that I've been using for a while but
> > over the last two weeks I've been getting what appears to be a false
> > alerts.  The packet that triggers my alert is:
> > 
> > 04/29/01-22:04:59.402601 xxx.xx.xx.xxx:1057 -> xxx.xxx.xxx.xxx:53
> > UDP TTL:126 TOS:0x0 ID:2 IpLen:20 DgmLen:540
> > Len: 520
> > 50 40 41 48 45 42 43 3A 7F 6C 68 68 6D 60 51 3D  P at ...1934...:.lhhm`Q=
> > 3E 23 27 3D 72 67 73 72 12 56 4D 55 59 4F 23 53  >#'=rgsr.VMUYO#S
> > 49 52 43 03 77 4A 50 42 22 66 78 6C 6D 63 67 75  IRC.wJPB"fxlmcgu
> > 71 65 7B 7C 7A 08 5A 58 54 58 49 54 50 52 34 3F  qe{|z.ZXTXITPR4?
> > 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F  @ABCDEFGHIJKLMNO
> > 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F  PQRSTUVWXYZ[\]^_
> > 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F  `abcdefghijklmno
> > 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F  pqrstuvwxyz{|}~.
> > 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F  ................
> > 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F  ................
> > A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF  ................
> > B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF  ................
> > C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF  ................
> > D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF  ................
> > E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF  ................
> > F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF  ................
> > 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  ................
> > 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
> > 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
> > 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F  0123456789:;<=>?
> > 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F  @ABCDEFGHIJKLMNO
> > 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F  PQRSTUVWXYZ[\]^_
> > 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F  `abcdefghijklmno
> > 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F  pqrstuvwxyz{|}~.
> > 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F  ................
> > 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F  ................
> > A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF  ................
> > B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF  ................
> > C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF  ................
> > D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF  ................
> > E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF  ................
> > F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF  ................
> > 
> > This seems a pretty peculiar packet in its own right, so I'm wondering
> > if others have seen it before.
> > 
> > This is triggered due to an observation of the following content in a
> > number of other (valid) BIND related intrusions:
> > 
> > content:"|06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19
> > 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31
> > 32 33 34 35|"
> > 
> > Ideas?
> > 
> > Thanks,
> > Scott
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org




More information about the Snort-users mailing list