Snort

Peter Bates wrote:
> 
> Hello all...
> 
> Has anyone enough details on the signature
> of the new BIND exploit
> (http://www.securityfocus.com/news/144 , CERT, etc.)
> to say whether current snort rulesets would catch
> the activity, or whether a new one needs to be crafted?

	I haven't seen any exploits, but have detected an increase
on bind.version queries.

	Someone from 210.178.239.1 is scanning all the .es
nameservers, it seems.

	Regards,






	Borja.

Peter Bates wrote:
> 
> Hello all...
> 
> Has anyone enough details on the signature
> of the new BIND exploit

the top of these three captures below looks a bit suss...

[**] IDS277 - NAMED Iquery Probe [**]
01/30-17:51:51.329972 210.162.122.66:3280 -> 212.28.8.24:53
UDP TTL:36 TOS:0x0 ID:50569 IpLen:20 DgmLen:55
Len: 35
2A 62 09 80 00 00 00 01 00 00 00 00 00 00 01 00  *b..............
01 00 00 7A 69 00 04 04 03 02 01                 ...zi......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC-DNS-version-query [**]
01/30-17:51:51.723847 210.162.122.66:3280 -> 212.28.8.24:53
UDP TTL:36 TOS:0x0 ID:50581 IpLen:20 DgmLen:58
Len: 38
AA CD 01 80 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC-DNS-version-query [**]
01/25-22:02:29.792892 210.162.122.66:3845 -> 212.28.4.26:53
UDP TTL:35 TOS:0x0 ID:30770 IpLen:20 DgmLen:58
Len: 38
00 0A 01 00 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC-DNS-version-query [**]
01/25-20:17:59.278740 210.162.122.66:4384 -> 212.28.8.24:53
UDP TTL:35 TOS:0x0 ID:26117 IpLen:20 DgmLen:58
Len: 38
00 0A 01 00 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-- 
Robert Brooks,         Systems Manager,        Hyperlink Interactive Ltd
<robb@...>   http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7240 8121                        Fax: +44 (0)20 7240 8098
-   Help Microsoft stamp out piracy.  Give Linux to a friend today!    -

On Tue, Jan 30, 2001 at 11:49:08AM +0000, Peter Bates wrote:
> 
> Hello all...
> 
> 
> Has anyone enough details on the signature
> of the new BIND exploit
> (http://www.securityfocus.com/news/144 , CERT, etc.)
> to say whether current snort rulesets would catch
> the activity, or whether a new one needs to be crafted?

From the CERT advisory,

 "Exploitation

     The vulnerabilities described in VU#196945, VU#572183, and VU#868916
     have been successfully exploited by COVERT Labs in a laboratory
     environment. To the best of our knowledge, no exploits have been
     released to the public."

I have still not seen reports of in-the-wild exploits. In the mean
time, watch for version.bind queries, BUT FIRST UPGRADE YOUR BIND!
-- 
Crist J. Clark                           cjclark@...

>> I have still not seen reports of in-the-wild exploits.

I saw something on the Incidents list about a day or so before the BIND
advisory came out about a system being cracked through BIND. The victim said
(IIRC) that he found a directory (?) named "ron1n" on his system. I will
venture a guess at the fact that this the same "ron1n" that released the
rpc.statd exploit for Linux. (I am not saying he cracked box, but probably
wrote an exploit.)

Vitaly McLain
twistah@...
twistah @ OPN & EfNet
"If you don't turn on to politics, politics will turn on you."
       - Ralph Nader