# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved## This file may contain proprietary rules that were created, tested and# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as# rules that were created by Sourcefire and other third parties and# distributed under the GNU General Public License (the "GPL Rules").  The# VRT Certified Rules contained in this file are the property of# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.# The GPL Rules created by Sourcefire, Inc. are the property of# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights# Reserved.  All other GPL Rules are owned and copyrighted by their# respective owners (please see www.snort.org/contributors for a list of# owners and their respective copyrights).  In order to determine what# rules are VRT Certified Rules or GPL Rules, please refer to the VRT# Certified Rules License Agreement.### $Id: dns.rules,v 1.50.6.15 2008/08/12 22:57:11 vrtbuild Exp $#----------# DNS RULES#----------# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; metadata:policy security-ips drop, service dns; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:16;)# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; flow:to_server; content:"|00 00 FC|"; offset:14; metadata:policy security-ips drop, service dns; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy security-ips drop, service dns; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:9;)alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy security-ips drop, service dns; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy security-ips drop, service dns; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:11;)alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy security-ips drop, service dns; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:10;)alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; metadata:policy security-ips drop, service dns; classtype:bad-unknown; sid:253; rev:7;)alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; metadata:policy security-ips drop, service dns; classtype:bad-unknown; sid:254; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; metadata:policy balanced-ips drop, policy security-ips drop, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; metadata:policy balanced-ips drop, policy security-ips drop, service dns; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:15;)alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; metadata:policy balanced-ips drop, policy security-ips drop, service dns; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:13;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; metadata:policy balanced-ips drop, policy security-ips drop, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:policy balanced-ips drop, policy security-ips drop, service dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:12;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; metadata:policy security-ips drop, service dns; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; metadata:policy security-ips drop, service dns; classtype:attempted-admin; sid:262; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:policy security-ips drop, service dns; classtype:attempted-admin; sid:264; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; metadata:policy security-ips drop, service dns; classtype:attempted-admin; sid:265; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:policy security-ips drop, service dns; classtype:attempted-admin; sid:266; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; metadata:policy security-ips drop, service dns; classtype:attempted-admin; sid:267; rev:7;)# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy security-ips drop, service dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:5;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy security-ips drop, service dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-recon; sid:2922; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; metadata:policy security-ips drop, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:4;)alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query overflow"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; metadata:policy security-ips drop, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:5;)alert tcp any any -> any 53 (msg:"DNS Windows NAT helper components tcp denial of service attempt"; flow:established, to_server; byte_test:2,&,256,2; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:4; metadata:policy security-ips drop, service dns; reference:cve,2006-5614; classtype:misc-attack; sid:8709; rev:4;)alert udp any any -> any 53 (msg:"DNS Windows NAT helper components udp denial of service attempt"; flow:to_server; byte_test:2,&,256,2; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:4; metadata:policy security-ips drop, service dns; reference:cve,2006-5614; classtype:misc-attack; sid:8710; rev:4;)# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"DNS dns response containing rfc1918 address detected"; flow:from_server; content:"|00 01 00 01|"; content:"|00 04|"; within:4; distance:4; pcre:"/\x00\x01\x00\x01....\x00\x04(\x0a|\xac[\x10-\x1f]|\xc0\xa8)/s"; metadata:policy security-ips alert, service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:13249; rev:2;)alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS large number of NXDOMAIN replies - possible DNS cache poisoning"; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; threshold:type threshold, track by_src, count 200, seconds 30; metadata:policy balanced-ips alert, policy security-ips alert, service dns; reference:cve,2008-1447; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13948; rev:2;)# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers"; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; threshold:type threshold, track by_dst, count 200, seconds 30; metadata:policy security-ips alert, service dns; reference:cve,2008-1447; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13949; rev:3;)