[Snort-users] bind exploit rule

Brian Caswell bmc at ...312...
Wed Jan 31 19:13:47 EST 2001


I've just written a rule to catch the bind exploit that has just been
posted to bugtraq.  It catches all 7 modes listed in the exploit.  From
looking at the code, it binds a shell to 31338, so this could make use
of activates activatedby to catch script kiddies.

alert udp any any -> any 53 (msg:"Bind TSIG Overflow - CAN-2001-13 -
CERT-CA-2001-02" content:"|2F 62 69 6E 2F 73 68 00 00 EB 37 5E 6A|";
content:"|90 90 90 90 90|";)

-- 
Brian Caswell
The MITRE corporation




More information about the Snort-users mailing list