[Snort-users] New BIND exploit...

Robert Brooks robb at ...1247...
Tue Jan 30 14:21:07 EST 2001


Peter Bates wrote:
> 
> Hello all...
> 
> Has anyone enough details on the signature
> of the new BIND exploit

the top of these three captures below looks a bit suss...

[**] IDS277 - NAMED Iquery Probe [**]
01/30-17:51:51.329972 210.162.122.66:3280 -> 212.28.8.24:53
UDP TTL:36 TOS:0x0 ID:50569 IpLen:20 DgmLen:55
Len: 35
2A 62 09 80 00 00 00 01 00 00 00 00 00 00 01 00  *b..............
01 00 00 7A 69 00 04 04 03 02 01                 ...zi......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC-DNS-version-query [**]
01/30-17:51:51.723847 210.162.122.66:3280 -> 212.28.8.24:53
UDP TTL:36 TOS:0x0 ID:50581 IpLen:20 DgmLen:58
Len: 38
AA CD 01 80 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC-DNS-version-query [**]
01/25-22:02:29.792892 210.162.122.66:3845 -> 212.28.4.26:53
UDP TTL:35 TOS:0x0 ID:30770 IpLen:20 DgmLen:58
Len: 38
00 0A 01 00 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC-DNS-version-query [**]
01/25-20:17:59.278740 210.162.122.66:4384 -> 212.28.8.24:53
UDP TTL:35 TOS:0x0 ID:26117 IpLen:20 DgmLen:58
Len: 38
00 0A 01 00 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-- 
Robert Brooks,         Systems Manager,        Hyperlink Interactive Ltd
<robb at ...1247...>   http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7240 8121                        Fax: +44 (0)20 7240 8098
-   Help Microsoft stamp out piracy.  Give Linux to a friend today!    -




More information about the Snort-users mailing list