[Snort-users] bind exploit rule

Brian Caswell bmc at ...312...
Wed Jan 31 19:43:39 EST 2001


Brian Caswell wrote:
> 
> I've just written a rule to catch the bind exploit that has just been
> posted to bugtraq.  It catches all 7 modes listed in the exploit.  From
> looking at the code, it binds a shell to 31338, so this could make use
> of activates activatedby to catch script kiddies.
> 
> alert udp any any -> any 53 (msg:"Bind TSIG Overflow - CAN-2001-13 -
> CERT-CA-2001-02" content:"|2F 62 69 6E 2F 73 68 00 00 EB 37 5E 6A|";
> content:"|90 90 90 90 90|";)

I hate to reply to myself, but I pasted the wrong rule into the email. 
OOPS.  sorry about that yall.  (Blame ah at ...1256... for the incorrect CVE number
;P)

alert udp $EXTERNAL_NET -> $INTERNAL_NET 53 (msg:"Bind TSIG Overflow -
CAN-2000-10 - CERT-CA-2001-02"; content:"|53 49 47 4E 41 54 55 52 45 E8
52 53 41|"; content:"|2F 62 69 6E 2F 73 68 00 00 EB 37 5E 6A|";)

-brian




More information about the Snort-users mailing list