EmergingThreats> Main Web>2006916 (2007-08-14, ShaneCastle) EditAttach

#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:3;)

Added 2007-10-10 06:31:36 UTC

#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:3;)

Added 2007-10-10 06:31:36 UTC

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:3;)

Added 2007-08-11 12:25:12 UTC

I'm sorry, there are way too many plain misconfigured or wrong DNS entries for 2006916-2006920 to have any possible usefulness in an IDS context. If there are really some malicious attempts to "rebind" addresses they are lost in the noise. If the rules are used for IPS, though, it could indeed be effective.

-- ShaneCastle - 14 Aug 2007

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; metadata:service dns; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:2;)

Added 2007-08-11 05:31:45 UTC

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; metadata:service dns; reference: http://crypto.stanford.edu/dns/ ; classtype:misc-attack; sid:2006916; rev:1;)

Added 2007-08-10 01:20:19 UTC

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2007-08-14 - ShaneCastle
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats