As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity.Â Props to alexkirk from the #snort channel for hooking us up!
Implement at your own risk! Simply cut and paste as it looks pretty nasty below:
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”DNS large number of NXDOMAIN replies – possible DNS cache poisoning”; byte_test:1,&,3,3; classtype:misc-attack; reference:cve,2008-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-020.mspx; reference:cve,2008-1447;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-037.mspx; threshold: type threshold, track by_src, count 1000, seconds 30;)
Hope this helps!