snort2-docker/docker/etc/rules/protocol-dns.rules

89 lines
31 KiB
Plaintext
Raw Normal View History

2020-02-24 13:56:30 +00:00
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#--------------------
# PROTOCOL-DNS RULES
#--------------------
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS root query traffic amplification attempt"; flow:to_server,no_stream; content:"|00 01|"; depth:2; offset:4; content:"|00 00 02 00 01|"; within:5; distance:6; detection_filter:track by_src, count 5, seconds 30; metadata:service dns; reference:url,isc.sans.org/diary.html?storyid=5713; classtype:misc-activity; sid:15259; rev:6;)
# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS DNS root query response traffic amplification attempt"; flow:to_client,no_stream; content:"|00 01|"; depth:2; offset:4; content:"|00 00 02 00 01|"; within:5; distance:6; detection_filter:track by_dst, count 5, seconds 30; metadata:service dns; reference:url,isc.sans.org/diary.html?storyid=5713; classtype:misc-activity; sid:15260; rev:6;)
# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC authority response record overflow attempt"; flow:to_client, established; content:"|84 23|"; depth:2; offset:4; byte_test:2,>,40,4,relative; metadata:service dns; reference:cve,2011-1910; classtype:denial-of-service; sid:19125; rev:4;)
# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC authority response record overflow attempt"; flow:established,to_client; byte_test:1,&,128,4; byte_test:1,&,4,4; byte_test:1,&,2,5; byte_test:1,&,1,5; content:"|00 2E 00 01|"; fast_pattern; byte_test:2,>,512,4,big,relative; content:"|00 06 05|"; within:3; distance:6; metadata:policy max-detect-ips drop, service dns; reference:cve,2011-1910; classtype:denial-of-service; sid:21421; rev:7;)
# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND NAPTR record regular expression handling denial of service attempt"; flow:to_client,established; byte_test:2,&,0x8000,4; content:"|00 FC 00 01|"; fast_pattern; content:"|00 06 00 01|"; within:4; distance:2; content:"|00 23 00 01|"; distance:0; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:26324; rev:5;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC libdns client NAPTR record regular expression handling denial of service attempt"; flow:to_client; byte_test:2,&,0x8000,2; content:"|00 23 00 01|"; fast_pattern; content:"|00 23 00 01|"; within:4; distance:2; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:26427; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|"; depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:23;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:16;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:bad-unknown; sid:253; rev:14;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|"; depth:4; offset:2; fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|"; within:4; distance:4; content:"|C0 0C 00 01 00 01|"; distance:0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:ruleset community, service dns; classtype:bad-unknown; sid:254; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; metadata:ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2922; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query overflow"; flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:11;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning"; flow:to_client,no_stream; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; detection_filter:track by_src, count 1000, seconds 5; metadata:policy max-detect-ips drop, service dns; reference:cve,2008-1447; reference:cve,2009-0233; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13948; rev:13;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS single byte encoded name response"; byte_test:1, &, 128, 2; byte_test:2, >, 0, 4; byte_test:2, >, 0, 6; pcre:"/^.{12}(\x01.){20}/"; metadata:service dns; reference:cve,2004-0444; classtype:misc-attack; sid:14777; rev:4;)
# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 192.168/16 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 C0 A8|"; within:4; distance:4; fast_pattern; metadata:service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:15935; rev:6;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt"; flow:to_client; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; content:"|00|"; offset:12; content:"|00 0C 00 01|"; within:4; content:"|00 0C 00 01|"; distance:2; byte_test:2,>,98,4,relative,big; metadata:service dns; reference:bugtraq,37733; reference:cve,2010-0072; reference:cve,2017-14491; classtype:attempted-admin; sid:20242; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS excessive queries of type ANY - potential DoS"; flow:stateless,no_stream; content:"|00 01|"; depth:2; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01|"; fast_pattern:only; detection_filter:track by_src, count 30, seconds 30; metadata:service dns; reference:url,foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/; classtype:attempted-dos; sid:21817; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dead alive6 DNS attempt"; content:"|DE AD|"; depth:2; metadata:service dns; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24304; rev:2;)
# alert udp $HOME_NET any -> any 53 (msg:"PROTOCOL-DNS IPv6 host name enumeration"; flow:to_server,no_stream; byte_test:1,!&,0xF8,2; content:"|00 00 1C 00 01|"; offset:12; detection_filter:track by_src, count 40, seconds 1; metadata:service dns; reference:url,thc.org/thc-ipv6/; classtype:attempted-recon; sid:27938; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS Malformed DNS query with HTTP content"; flow:to_server; content:"|54 20|"; fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:28557; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:3;)
# alert udp $HOME_NET any -> any 53 (msg:"PROTOCOL-DNS ISC libdns client NAPTR record regular expression handling denial of service attempt"; flow:stateless; byte_test:2,&,0x8000,2; content:"|00 23 00 01|"; fast_pattern; content:"|00 23 00 01|"; within:4; distance:2; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:29935; rev:1;)
# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Microsoft SMTP excessive answer records buffer overflow attempt"; flow:to_client,established; byte_test:1,&,0x01,4; byte_test:2,>=,100,8; content:"|00 01 00 01|"; fast_pattern:only; metadata:service dns; reference:cve,2004-0840; classtype:attempted-user; sid:32959; rev:1;)
# alert udp $HOME_NET 53 -> any any (msg:"PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt"; flow:to_client,no_stream; byte_test:2,&,0x8080,2; content:"|00 01 C0 0C 00 02 00 01|"; offset:20; detection_filter:track by_dst, count 75, seconds 20; metadata:service dns; reference:cve,2014-8500; reference:url,www.kb.cert.org/vuls/id/264212; classtype:attempted-dos; sid:33583; rev:5;)
# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Exim DKIM decoding buffer overflow attempt"; flow:to_client,established; byte_test:1,>,0x80,4; content:"|00 01 00 01|"; depth:4; offset:6; content:"_domainkey"; distance:4; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01|"; within:4; distance:2; byte_test:2,>,4096,4,relative; metadata:policy max-detect-ips drop, service dns; reference:cve,2012-5671; classtype:attempted-admin; sid:25333; rev:7;)
# alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"PROTOCOL-DNS Tftpd32 DNS server denial of service attempt"; flow:to_server; content:"|00 00 00 00 00 00|"; depth:12; offset:6; byte_test:1,>,0x7f,12; byte_test:1,<,0xc0,12; metadata:policy max-detect-ips drop, service dns; classtype:denial-of-service; sid:23368; rev:7;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Symantec Gateway products DNS cache poisoning attempt"; flow:to_client; content:"|C8 C8 C8 C8|"; fast_pattern; content:"|00 02 00 01|"; within:10; distance:2; content:"fake"; within:20; distance:7; metadata:policy max-detect-ips drop, service dns; reference:cve,2004-1754; reference:cve,2005-0817; classtype:misc-attack; sid:17485; rev:9;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS squid proxy dns PTR record response denial of service attempt"; flow:to_client; content:"|00 0C 00 01|"; content:"|00 0C 00 01|"; within:4; distance:2; content:"|00 01 00|"; within:3; distance:4; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,12551; reference:cve,2005-0446; classtype:attempted-dos; sid:17484; rev:10;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS squid proxy dns A record response denial of service attempt"; flow:to_client; content:"|00 01 00 01|"; content:"|00 01 00 01|"; within:4; distance:2; isdataat:6,relative; content:!"|00 04|"; within:2; distance:4; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,12551; reference:cve,2005-0446; classtype:attempted-dos; sid:17483; rev:9;)
# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 AC|"; within:3; distance:4; fast_pattern; byte_test:1,>,15,0,relative; byte_test:1,<,32,0,relative; metadata:service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:15934; rev:11;)
# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers"; flow:to_client,no_stream; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; detection_filter:track by_dst, count 1000, seconds 5; metadata:policy max-detect-ips drop, service dns; reference:cve,2008-1447; reference:cve,2009-0233; reference:cve,2012-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-017; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13949; rev:17;)
# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 10/8 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 0A|"; within:3; distance:4; fast_pattern; metadata:policy max-detect-ips drop, service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:13249; rev:14;)
# alert udp $DNS_SERVERS 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness"; flow:to_client,no_stream; content:"|03|www|03|exa|03|dpn"; byte_test:1,&,2,3; byte_test:1,&,1,3; detection_filter:track by_src, count 20, seconds 20; metadata:policy max-detect-ips drop, service dns; reference:cve,2009-0234; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-008; classtype:misc-activity; sid:17696; rev:9;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt"; flow:to_client; byte_test:1, &, 0x80,2; content:"|C0 0C 00 30 00 01|"; content:"|02|"; within:1; distance:9; metadata:policy max-detect-ips drop, service dns; reference:cve,2015-5722; reference:url,www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/; classtype:attempted-dos; sid:36055; rev:3;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt"; flow:to_client; byte_test:1, &, 0x80,2; content:"|00 3D 00 01|"; content:"|00 00|"; within:2; distance:4; metadata:policy max-detect-ips drop, service dns; reference:cve,2015-5986; reference:url,www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-trigger-a-require-assertion-failure-in-openpgpkey_61-c/; classtype:attempted-dos; sid:36130; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS DNAME query detected - possible attack attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 27 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2015-6125; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-127; classtype:attempted-admin; sid:37015; rev:2;)
# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 1C 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37731; rev:5;)
# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 01 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37730; rev:5;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|90|"; within:1; distance:9; byte_test:2,>,0x270F,-4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38284; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|84|"; within:1; distance:9; byte_test:2,>,0x270F,-4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38283; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|00 02|"; within:2; distance:6; content:"|90|"; within:1; distance:1; byte_test:2,>,0x270F,16,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38282; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|00 01|"; within:2; distance:6; content:"|84|"; within:1; distance:1; byte_test:2,>,0x270F,4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38281; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TSIG query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|C0 0C 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39953; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TSIG query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39952; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|C0 0C 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39951; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|00 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39950; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|00 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39949; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|C0 0C 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39948; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TKEY query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|C0 0C 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39947; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TKEY query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39946; rev:2;)
alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS ISC BIND isc__buffer_add assertion failure denial of service attempt"; flow:to_server; dsize:>512; byte_test:1,!&,0xFE,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 FA 00 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2016-2776; reference:url,kb.isc.org/article/AA-01419/74/CVE-2016-2776; classtype:attempted-dos; sid:40344; rev:2;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNS duplicate cookie denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 00 29|"; content:"|00 00|"; within:2; distance:2; content:"|00 0A|"; within:2; distance:4; byte_jump:2,0,relative; content:"|00 0A|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:cve,2016-2088; reference:url,kb.isc.org/article/AA-01351/0/CVE-2016-2088%3A-A-response-containing-multiple-DNS-cookies-causes-servers-with-cookie-support-enabled-to-exit-with-an-assertion-failure.html; classtype:attempted-dos; sid:40362; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server; content:"|01 00|"; depth:2; offset:2; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning; content:"|01 C0|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41905; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server; content:"|01 00|"; depth:2; offset:2; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning; content:"|01 01|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41904; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:4; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning,post_offset 2; content:"|01 01|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41903; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:4; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning,post_offset 2; content:"|01 C0|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41852; rev:2;)
# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND unexpected DNAME CNAME ordering denial of service attempt"; flow:to_client; content:"|85 00 00 01 00 03|"; depth:6; offset:2; content:"|00 00 01 00 01|"; within:100; content:"|00 27 00 01|"; within:4; distance:2; content:"|00 C0 0C 00 05 00 01|"; within:100; content:"|00 01 00 01|"; within:100; content:"|C0|"; within:1; distance:-6; metadata:service dns; reference:cve,2017-3137; reference:url,kb.isc.org/article/AA-01466; classtype:attempted-dos; sid:42458; rev:1;)
# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)
# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; dsize:>512; metadata:service dns; reference:cve,2017-13704; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:44479; rev:2;)
# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt"; flow:to_server,no_stream; content:"|08 1B|"; depth:2; offset:2; fast_pattern; content:"|00 00 29|"; within:3; distance:8; detection_filter:track by_dst, count 50, seconds 1; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14495; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:44478; rev:3;)
# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt"; flow:to_server; content:"|20 00 01|"; depth:3; offset:3; content:"|01 00 00 29 10|"; depth:5; offset:11; detection_filter:track by_dst, count 10, seconds 1; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14495; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:47881; rev:1;)