I see that there was a recent inquiry about DNS monitoring to the
community, but I'm not sure if that was related to the current
CVE-2020-1350 being discussed on many security threats and
announcements. Is there a way for the Zeek DNS monitoring to detect
this, or has anyone built a script to enhance monitoring to detect the
types of queries that are called out by the reported vulnerability that
needs to be addressed? Thanks in advance for any feedback/input on this
topic.
Hi,
There is a Zeek script for this; https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/
Philip Romero <promero@cenic.org>, 16 Tem 2020 Per, 20:47 tarihinde şunu yazdı:
We did something slightly different, but the same approach.
Fires a notice with a bit more of a descriptive answer into the notice.log.
##! DNS Detections
##! Developed for Léargas by Patrick Kelley
##! 2020-07-16
##! www.leargassecurity.com
##! Identifier="2020-07-15"
##! Iteration="1.0"
##! Description="Detects CVE-2020-1350"
##! Protocol="DNS"
##! CreationDate="2020-07-15"
##! LastUpdate="2020-07-15"
module CVE_2020_1350;
export {
redef enum Notice::Type += {
CVE_2020_1350
};
event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer) {
if ( c$resp$size > 65000 && ans$qtype==24) {
NOTICE([$note=CVE_2020_1350,
$conn=c,
$msg=fmt("%s is attempting to exploit %s using CVE-2020-1350.
query is %s.", c$id$orig_h, c$id$resp_h, ans),
$sub=fmt("Severity: 9"),
$identifier=cat(c$id$orig_h)]);
}
}
}
Ben Reardon also posted what may be more complete than the snippet (but still open for improvements):
https://github.com/corelight/SIGRed
-s