[Snort-users] bind exploit rule

Vitaly McLain twistah at ...93...
Wed Jan 31 23:56:40 EST 2001


3rd time is a charm...?

Your rule:
alert udp $EXTERNAL_NET -> $INTERNAL_NET 53 (msg:"Bind TSIG Overflow -
CAN-2000-10 - CERT-CA-2001-02"; content:"|53 49 47 4E 41 54 55 52 45 E8
52 53 41|"; content:"|2F 62 69 6E 2F 73 68 00 00 EB 37 5E 6A|";)

Aren't you missing that first port number? :)

This seems to work...

alert udp $EXTERNAL_NET any -> $INTERNAL_NET 53 (msg:"Bind TSIG Overflow -
CAN-2000-10 - CERT-CA-2001-02"; content:"|53 49 47 4E 41 54 55 52 45 E8
52 53 41|"; content:"|2F 62 69 6E 2F 73 68 00 00 EB 37 5E 6A|";)

Vitaly McLain
twistah at ...93...
twistah @ OPN & EfNet
"If you don't turn on to politics, politics will turn on you."
       - Ralph Nader





More information about the Snort-users mailing list