ATTACK [PTsecurity] ISC BIND DNS TSIG authentication bypass attempt (CVE-2017-3143, HMAC_SHA256)

SID: 10001502Rev: 10 views

Sourceptresearch/attackdetection

CreatedDecember 13, 2021

UpdatedDecember 13, 2021

Classificationattempted-admin

alert dns any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] ISC BIND DNS TSIG authentication bypass attempt (CVE-2017-3143, HMAC_SHA256)"; flow:to_server; content:"|00 FA|"; content:"|00 00 00 00|"; distance:2; within:4; content:"|0B|hmac-sha256|00|"; within:15; byte_test:2, >, 32, 8, relative; flowbits:set, CVE.2017-3143.attempt; reference:cve, 2017-3143; reference:url, http://www.synacktiv.ninja/ressources/CVE-2017-3143_BIND9_TSIG_dynamic_updates_vulnerability_Synacktiv.pdf; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10001502; rev:1;)

References

cve	2017-3143
url	http://www.synacktiv.ninja/ressources/CVE-2017-3143_BIND9_TSIG_dynamic_updates_vulnerability_Synacktiv.pdf
url	github.com/ptresearch/AttackDetection

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!