Rule History

alert tcp any 53 -> any any (msg: "ATTACK [PTsecurity] Windows Server DNS RCE aka SIGRed (CVE-2020-1350) - Query response"; flow: established, from_server; content: "|FF|"; depth: 1; content: "|00 00 18 00 01 C0|"; within: 100; content: "|00 18 00 01|"; distance: 1; within: 4; content: "|FF|"; distance: 4; within: 1; reference: url, research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers; reference: cve, 2020-1350; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005977; rev: 2;)