[Snort-users] bind exploit rule

Al Huger - Mail Account ah1 at ...35...
Wed Jan 31 23:35:38 EST 2001


Yep that was my fault, sorry everyone.

Alfred Huger
VP Engineering
SecurityFocus.com

On Thu, 1 Feb 2001, Brian Caswell wrote:

> Brian Caswell wrote:
> >
> > I've just written a rule to catch the bind exploit that has just been
> > posted to bugtraq.  It catches all 7 modes listed in the exploit.  From
> > looking at the code, it binds a shell to 31338, so this could make use
> > of activates activatedby to catch script kiddies.
> >
> > alert udp any any -> any 53 (msg:"Bind TSIG Overflow - CAN-2001-13 -
> > CERT-CA-2001-02" content:"|2F 62 69 6E 2F 73 68 00 00 EB 37 5E 6A|";
> > content:"|90 90 90 90 90|";)
>
> I hate to reply to myself, but I pasted the wrong rule into the email.
> OOPS.  sorry about that yall.  (Blame ah at ...1256... for the incorrect CVE number
> ;P)
>
> alert udp $EXTERNAL_NET -> $INTERNAL_NET 53 (msg:"Bind TSIG Overflow -
> CAN-2000-10 - CERT-CA-2001-02"; content:"|53 49 47 4E 41 54 55 52 45 E8
> 52 53 41|"; content:"|2F 62 69 6E 2F 73 68 00 00 EB 37 5E 6A|";)
>
> -brian
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>





More information about the Snort-users mailing list