Before It Bytes!

Latest Snort signature to detect DNS vulnerability

As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity.  Props to alexkirk from the #snort channel for hooking us up!

Implement at your own risk! Simply cut and paste as it looks pretty nasty below:

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”DNS large number of NXDOMAIN replies – possible DNS cache poisoning”; byte_test:1,&,3,3; classtype:misc-attack; reference:cve,2008-0087; reference:url,; reference:cve,2008-1447;
reference:url,; threshold: type threshold, track by_src, count 1000, seconds 30;)

Hope this helps!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.