[Snort-users] bind exploit rule
Brian Caswell
bmc at ...312...
Wed Jan 31 19:13:47 EST 2001
I've just written a rule to catch the bind exploit that has just been
posted to bugtraq. It catches all 7 modes listed in the exploit. From
looking at the code, it binds a shell to 31338, so this could make use
of activates activatedby to catch script kiddies.
alert udp any any -> any 53 (msg:"Bind TSIG Overflow - CAN-2001-13 -
CERT-CA-2001-02" content:"|2F 62 69 6E 2F 73 68 00 00 EB 37 5E 6A|";
content:"|90 90 90 90 90|";)
--
Brian Caswell
The MITRE corporation
More information about the Snort-users
mailing list