CVE-2020-1350 Detection Inquiry

I see that there was a recent inquiry about DNS monitoring to the
community, but I'm not sure if that was related to the current
CVE-2020-1350 being discussed on many security threats and
announcements. Is there a way for the Zeek DNS monitoring to detect
this, or has anyone built a script to enhance monitoring to detect the
types of queries that are called out by the reported vulnerability that
needs to be addressed? Thanks in advance for any feedback/input on this


There is a Zeek script for this;

Philip Romero <>, 16 Tem 2020 Per, 20:47 tarihinde şunu yazdı:

We did something slightly different, but the same approach.

Fires a notice with a bit more of a descriptive answer into the notice.log.

##! DNS Detections
##! Developed for Léargas by Patrick Kelley
##! 2020-07-16

##! Identifier="2020-07-15"
##! Iteration="1.0"
##! Description="Detects CVE-2020-1350"
##! Protocol="DNS"
##! CreationDate="2020-07-15"
##! LastUpdate="2020-07-15"

module CVE_2020_1350;

export {
        redef enum Notice::Type += {

event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer) {
      if ( c$resp$size > 65000 && ans$qtype==24) {
      $msg=fmt("%s is attempting to exploit %s using CVE-2020-1350.
query is %s.", c$id$orig_h, c$id$resp_h, ans),
      $sub=fmt("Severity: 9"),

Ben Reardon also posted what may be more complete than the snippet (but still open for improvements):