#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:3;)
Added 2007-10-10 06:31:36 UTC
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:3;)
Added 2007-10-10 06:31:36 UTC
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:3;)
Added 2007-08-11 12:25:12 UTC
I'm sorry, there are way too many plain misconfigured or wrong DNS entries for 2006916-2006920 to have any possible usefulness in an IDS context. If there are really some malicious attempts to "rebind" addresses they are lost in the noise. If the rules are used for IPS, though, it could indeed be effective.
--
ShaneCastle - 14 Aug 2007
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; metadata:service dns; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:2;)
Added 2007-08-11 05:31:45 UTC
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; metadata:service dns; reference:
http://crypto.stanford.edu/dns/ ; classtype:misc-attack; sid:2006916; rev:1;)
Added 2007-08-10 01:20:19 UTC